b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                 Annual Assessment of the Internal Revenue\n                  Service Information Technology Program\n\n\n\n                                      September 30, 2013\n\n                              Reference Number: 2013-20-126\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n Phone Number / 202-622-6500\n E-mail Address / TIGTACommunications@tigta.treas.gov\n Website        / http://www.treasury.gov/tigta\n\x0c                                                 HIGHLIGHTS\n\n\nANNUAL ASSESSMENT OF THE                             WHAT TIGTA FOUND\nINTERNAL REVENUE SERVICE\n                                                     Since last year\xe2\x80\x99s assessment report, the IRS\nINFORMATION TECHNOLOGY                               has made progress on improving information\nPROGRAM                                              security. As a result, the Government\n                                                     Accountability Office made a determination to\n                                                     downgrade information security from a material\nHighlights                                           weakness to a significant deficiency. Even still,\n                                                     TIGTA\xe2\x80\x99s reviews identified weaknesses in\nFinal Report issued on                               system access controls, audit trails, and\nSeptember30, 2013                                    remediation of security weaknesses.\nHighlights of Reference Number: 2013-20-126          In addition, the IRS took important steps to\nto the Internal Revenue Service Chief                correct system performance issues of the\nTechnology Officer.                                  Modernized e-File system to deliver a successful\n                                                     filing season. However, TIGTA continues to\nIMPACT ON TAXPAYERS                                  believe that the IRS\xe2\x80\x99s Modernization Program\nThe IRS relies extensively on its computer           remains a major risk. TIGTA identified several\nsystems to carry out the responsibilities of         systems development issues that should be\nadministering our Nation\xe2\x80\x99s tax laws. As such, it     addressed to further strengthen and support the\nmust ensure that its computer systems are            Modernization Program. For example, our\neffectively secured to protect sensitive financial   review of the Customer Account Data Engine 2\nand taxpayer data. In addition, successful           database determined that existing data quality\nmodernization of IRS systems and the                 issues prevented the downstream interfaces\ndevelopment and implementation of new                from being implemented. Further, the\ninformation technology applications are              development and implementation of new\nnecessary to meet evolving business needs and        systems for the Affordable Care Act present\nto enhance services provided to the American         major information technology management\ntaxpayer. The IRS also needs to ensure that it       challenges. As a result, TIGTA plans to\nleverages viable technological advances as it        continue its strategic oversight of this area.\nmodernizes its major business systems and            Achieving program efficiencies and cost savings\nimproves its overall operational environment.        is an important area for the IRS. In\nThis includes ensuring that information              October 2012, the IRS achieved Information\ntechnology solutions are cost-effective and                                            \xc2\xae\n                                                     Technology Infrastructure Library Maturity\nsupport mandatory Federal requirements and           Level 3 to help achieve greater efficiency\nelectronic tax administration goals.                 delivering information technology services.\nWHY TIGTA DID THE AUDIT                              While the IRS has made progress on improving\n                                                     program effectiveness and reducing costs,\nThis audit is included in our Fiscal Year 2013       TIGTA\xe2\x80\x99s recent audit work involving data center\nAnnual Audit Plan under the major management         consolidation, the Aircard and BlackBerry\xc2\xae\nchallenge of Modernization; however, it also         smartphone program, and hardware and\naddresses other challenge areas (e.g., Security      software management identified several\nfor Taxpayer Data and Employees and                  opportunities for the IRS to achieve additional\nImplementing the Affordable Care Act and Other       cost savings.\nTax Law Changes). TIGTA annually assesses\nand reports on an evaluation of the adequacy         WHAT TIGTA RECOMMENDED\nand security of IRS information technology, as       Because this was an assessment report of the\nrequired by the IRS Restructuring and Reform         IRS\xe2\x80\x99s Information Technology Program through\nAct of 1998.                                         Fiscal Year 2013, TIGTA did not make any\n                                                     recommendations. However, TIGTA provided\n                                                     recommendations to the IRS in the audit reports\n                                                     referenced throughout this report.\n\x0c                                                  DEPARTMENT OF THE TREASURY\n                                                        WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                               September 30, 2013\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                         Michael E. McKenney\n                               Acting Deputy Inspector General for Audit\n\n SUBJECT:                      Final Audit Report \xe2\x80\x93 Annual Assessment of the Internal Revenue\n                               Service Information Technology Program (Audit # 201320019)\n\n The overall objective of this review was to assess the progress of the Internal Revenue Services\xe2\x80\x99s\n (IRS) Information Technology Program, including modernization, security, and operations. This\n review is required by the IRS Restructuring and Reform Act of 1998.1 This audit is included in\n the Treasury Inspector General for Tax Administration\xe2\x80\x99s Fiscal Year 2013 Annual Audit Plan\n under the major management challenge of Modernization; however, it also addresses other\n challenge areas (e.g., Security for Taxpayer Data and Employees and Implementing the\n Affordable Care Act and Other Tax Law Changes).\n Copies of this report are also being sent to IRS managers affected by the report contents. If you\n have any questions, please contact me or Alan R. Duncan, Assistant Inspector General for Audit\n (Security and Information Technology Services).\n\n\n\n\n 1\n  Pub. L. No. 105-206, 112 Stat. 685 (codified as amended in scattered sections of 2 U.S.C., 5 U.S.C. app.,\n 16 U.S.C., 19 U.S.C., 22 U.S.C., 23 U.S.C., 26 U.S.C.,31 U.S.C., 38 U.S.C., and 49 U.S.C.).\n\x0c                                Annual Assessment of the Internal Revenue Service\n                                         Information Technology Program\n\n\n\n\n                                            Table of Contents\n\nBackground .......................................................................................................... Page 1\n\nResults of Review ............................................................................................... Page 6\n          Assessment of Information Security in Information Technology\n          Programs, Operations, and Systems Development ....................................... Page 6\n          Systems Development Projects to Support Modernization, Tax\n          Legislation Changes, and Tax Compliance Initiatives ................................. Page 20\n          Implementation of New Systems for the Patient Protection and\n          Affordable Care Act Provisions .................................................................... Page 25\n          Updates for the Integrated Financial System to Support Internal\n          Revenue Service Operations ......................................................................... Page 27\n          Information Technology Service Management Disciplines to\n          Achieve Program Efficiencies and Savings Were Implemented;\n          However, Additional Cost Savings Can Be Realized ................................... Page 28\n          The Internal Revenue Service Needs to Strengthen Its Hardware\n          and Software Management Processes ........................................................... Page 30\n          There Has Been a Lack of Progress in Providing Taxpayer\n          Access to Account Information via the Internet ........................................... Page 31\n          Potential Savings for New Bring Your Own Device Pilot ........................... Page 33\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objective, Scope, and Methodology ........................ Page 34\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................ Page 36\n          Appendix III \xe2\x80\x93 Report Distribution List ....................................................... Page 37\n          Appendix IV \xe2\x80\x93 List of Treasury Inspector General for Tax\n          Administration Reports Reviewed ................................................................ Page 38\n          Appendix V \xe2\x80\x93 Outcome Measures Reported in Fiscal Year 2013 ................ Page 40\n          Appendix VI \xe2\x80\x93 Glossary of Terms ............................................................... Page 41\n\x0c           Annual Assessment of the Internal Revenue Service\n                    Information Technology Program\n\n\n\n\n                     Abbreviations\n\nACA            Affordable Care Act\nACIO           Associate Chief Information Officer\nBYOD           Bring Your Own Device\nCADE           Customer Account Data Engine\nFATCA          Foreign Account Tax Compliance Act\nFISMA          Federal Information Security Management Act\nFRS            Foreign Financial Institution Registration System\nGAO            Government Accountability Office\nIFS            Integrated Financial System\nIFSV           Income and Family Size Verification\nIRS            Internal Revenue Service\nIT             Information Technology\nITIL           Information Technology Infrastructure Library\nKISAM-AM       Knowledge, Incident/Problem, Service Asset Management \xe2\x80\x93\n               Asset Manager\nNIST           National Institute of Standards and Technology\nOMB            Office of Management and Budget\nRRA 98         Restructuring and Reform Act of 1998\nTIGTA          Treasury Inspector General for Tax Administration\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\n\n                                             Background\n\nThe Internal Revenue Service (IRS) Restructuring and Reform Act of 1998 (RRA 98)1 requires\nthe Treasury Inspector General for Tax Administration (TIGTA) to annually evaluate the\nadequacy and security of the IRS Information Technology Program. This report provides our\nassessment of the IRS\xe2\x80\x99s Information Technology Program and operations for Fiscal Year 2013.\nThe IRS collects taxes, processes tax returns, and enforces Federal tax laws. In Fiscal Years\n2011 and 2012, the IRS collected about $2.4 trillion and $2.5 trillion, respectively, in Federal tax\npayments, processed hundreds of millions of tax and information returns, and paid about\n$416 billion and about $373 billion, respectively, in refunds to taxpayers. Further, the size\nand complexity of the IRS add unique operational challenges. The IRS employs more than\n95,000 people in its Washington, D.C., headquarters and more than 650 offices in all 50 states\nand U.S. territories and in some U.S. embassies and consulates. The IRS relies extensively on\ncomputerized systems to support its financial and mission-related operations.\nAccording to March 2013 budget information provided by the Associate Chief Information\nOfficer (ACIO), Strategy and Planning, the IRS Information Technology (IT) organization\xe2\x80\x99s\nFiscal Year 2013 budget was approximately $2.3 billion, which is up slightly from last year\xe2\x80\x99s\nbudget of $2.2 billion. Figure 1 provides a breakdown of the Fiscal Year 2013 budget by ACIO\norganization. Figure 2 provides a breakdown of the Fiscal Year 2013 budget by funding source.\n\n\n\n\n1\n Pub. L. No. 105-206, 112 Stat. 685 (codified as amended in scattered sections of 2 U.S.C., 5 U.S.C. app.,\n16 U.S.C., 19 U.S.C., 22 U.S.C., 23 U.S.C., 26 U.S.C., 31 U.S.C., 38 U.S.C., and 49 U.S.C.).\n                                                                                                             Page 1\n\x0c                  Annual Assessment of the Internal Revenue Service\n                           Information Technology Program\n\n\n\n            Figure 1: IRS Information Technology Organization\n              Fiscal Year 2013 Budget (by ACIO organization)\n\n\n\n\nSource: Our analysis of the IRS IT organization budget data as of March 31, 2013, provided by the\nACIO, Strategy and Planning, Financial Management Services.\n\n            Figure 2: IRS Information Technology Organization\n               Fiscal Year 2013 Budget (by Funding Source)\n\n\n\n\nSource: Our analysis of the IRS IT organization budget data as of March 31, 2013, provided by the\nACIO, Strategy and Planning, Financial Management Services.\n\n                                                                                                Page 2\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\nThe ACIO offices were restructured during Calendar Year 2013. Applications Development is\nnow Enterprise Applications Development and will focus its efforts on systems development and\nmaintenance, requirements analysis and development, and the delivery of multiple projects. The\nEnterprise Program Management Office will perform project management responsibilities for\nseveral systems development projects including the Customer Account Data Engine (CADE) 2,\nReturn Review Program, Electronic Fraud Detection System, and Modernized e-File. In addition\nto the organizational restructuring, the IRS IT organization experienced turnover in some of its\nexecutive positions. For example, Enterprise Applications Development, Enterprise Services,\nand the Affordable Care Act (ACA)2 Program Management Office have new executive\nleadership.\nAs of August 2013, the IRS\xe2\x80\x99s IT organization employed 7,303 individuals, of which 7,145 work\nin eight different ACIO offices:\n    \xef\x82\xb7   Enterprise Applications Development is responsible for building, testing, delivering, and\n        maintaining integrated information applications systems, or software solutions, to support\n        modernized systems and the production environment.\n    \xef\x82\xb7   Enterprise Program Management Office is responsible for solution architecture and\n        program-level life cycle processes for solution development.\n    \xef\x82\xb7   Cybersecurity is responsible for ensuring IRS compliance with Federal statutory,\n        legislative, and regulatory requirements governing confidentiality, integrity, and\n        availability of IRS electronic systems, services, and data.\n    \xef\x82\xb7   Enterprise Operations provides efficient, cost-effective, and highly reliable computing\n        (server and mainframe) services for all IRS business entities and taxpayers.\n    \xef\x82\xb7   Enterprise Services enables business transformation through integrated solutions,\n        services, and standards.\n    \xef\x82\xb7   Strategy and Planning is responsible for developing a comprehensive, integrated financial\n        management program and strategic plan that support the programs and goals of the\n        IT organization and for developing and implementing a capital planning and policy\n        investment methodology and business case development.\n    \xef\x82\xb7   User and Network Services supplies and maintains all deskside (including telephone)\n        technology, provides workstation software standardization and security management,\n        inventories data processing equipment, conducts annual certifications of assets, provides\n\n\n\n2\n  Patient Protection and Affordable Care Act (Affordable Care Act), Pub. L. No. 111-148, 124 Stat. 119 (2010)\n(codified as amended in scattered section of the U.S. Code), as amended by the Health Care and Education\nReconciliation Act of 2010, Pub. L. No. 111-152, 124 Stat. 1029.\n                                                                                                          Page 3\n\x0c                          Annual Assessment of the Internal Revenue Service\n                                   Information Technology Program\n\n\n\n       the Information Technology Service Desk as the single point of contact for reporting an\n       information technology issue, and equips the Volunteer Income Tax Assistance program.\n   \xef\x82\xb7   ACA Program Management Office is responsible for managing the strategic planning,\n       development, and implementation of new information systems in support of business\n       requirements with regard to the ACA (our Nation\xe2\x80\x99s healthcare reform initiative).\nThe remaining 158 employees work in the Management Services business unit or support the\nOffice of the Chief Technology Officer. The Management Services business unit partners with\nIRS IT leadership to define and implement human capital policies and guidance to ensure that\nemployees are supported in the fashion necessary to deliver outstanding service. The Office of\nthe Chief Technology Officer includes the Chief Technology Officer, two Deputy Chief\nInformation Officers, and their staff. A Deputy Chief Information Officer serves as principal\nadvisor to the Chief Technology Officer and provides executive direction and focus in helping\nthe organization increase its effectiveness in delivering information technology services and\nsolutions that align to the IRS\xe2\x80\x99s business priorities. Figure 3 presents the number of information\ntechnology employees in each business unit.\n       Figure 3: Number of Information Technology Organization Employees\n          by Business Unit (in descending order by number of employees)\n\n                                                                                 Number of\n               Information Technology Business Unit                              Employees\n\n    Enterprise Applications Development                                             1,978\n    Enterprise Operations                                                           1,836\n    User and Network Services                                                       1,660\n    Enterprise Services                                                              645\n    Cybersecurity                                                                    370\n    Strategy and Planning                                                            294\n    Affordable Care Act \xe2\x80\x93 Program Management Office                                  292\n    Management Services                                                              144\n    Enterprise Program Management Office                                              70\n    Office of the Chief Technology Officer                                            14\n\n                                   Total                                           7,303\n\n  Source: Treasury Integrated Management Information System as of August 2013.\n\n\n\n\n                                                                                             Page 4\n\x0c                             Annual Assessment of the Internal Revenue Service\n                                      Information Technology Program\n\n\n\nThe compilation of information for this report was conducted at TIGTA offices in Austin, Texas;\nChicago, Illinois; and Memphis, Tennessee, during the period May through September 2013.\nThe information presented is derived from TIGTA audit reports issued between October 1, 2012,\nand September 27, 2013. We also reviewed relevant Government Accountability Office (GAO)3\nreports, congressional testimony, and IRS-issued documents relating to IRS information\ntechnology plans and issues. These previous audits and our analyses were conducted in\naccordance with generally accepted government auditing standards. Those standards require that\nwe plan and preform the audit to obtain sufficient, appropriate evidence to provide a reasonable\nbasis for our findings and conclusions based on our audit objectives. We believe that the\nevidence obtained provides a reasonable basis for our findings and conclusions based on our\naudit objectives. Detailed information on our audit objective, scope, and methodology is\npresented in Appendix I. Major contributors to the report are listed in Appendix II. A listing of\nthe audit reports used in this assessment is presented in Appendix IV.\n\n\n\n\n3\n    See Appendix VI for a glossary of terms.\n                                                                                          Page 5\n\x0c                          Annual Assessment of the Internal Revenue Service\n                                   Information Technology Program\n\n\n\n\n                                    Results of Review\n\nAssessment of Information Security in Information Technology\nPrograms, Operations, and Systems Development\nFor Fiscal Year 2013, TIGTA designated Security for Taxpayer Data and Employees as the\nIRS\xe2\x80\x99s number one management and performance challenge. The IRS faces the daunting task of\nsecuring its computer systems against the growing threat of cyberattacks. Effective information\nsystems security becomes essential to ensure that data are protected against inadvertent or\ndeliberate misuse, improper disclosure, or destruction and that computer operations supporting\ntax administration are secured against disruption or compromise.\nProtecting the confidentiality of this sensitive information is paramount. Otherwise, taxpayers\ncould be exposed to loss of privacy and to financial loss and damages resulting from identity\ntheft or other financial crimes. According to an Office of Management and Budget (OMB)\nreport4 to Congress, threats to Federal information\xe2\x80\x94whether from insider threat (e.g., mistakes,\nas well as fraudulent or malevolent acts by employees or contractors working within an\norganization), criminal elements, or nation states\xe2\x80\x94continue to grow in number and\nsophistication, creating risks to the reliable functioning of our Government.\nThe number of cyber incidents affecting Federal Government agencies increased approximately\nfive percent in Fiscal Year 2012, when agencies reported 48,842 cyber incidents to the U.S.\nComputer Emergency Readiness Team as presented in Figure 4. The Department of the\nTreasury reported 3,829 cyber incidents to the U.S. Computer Emergency Readiness Team in\nFiscal Year 2012, as shown in Figure 5.\n\n\n\n\n4\n  OMB, Fiscal Year 2012 Report to Congress on the Implementation of the Federal Information Security\nManagement Act of 2002 (March 2013). Pub. L. No. 107-347, Title III, 116 Stat. 2899, 2946-2961 (2002)\n(codified as amended in 44 U.S.C. \xc2\xa7\xc2\xa7 3541\xe2\x80\x933549).\n                                                                                                        Page 6\n\x0c                         Annual Assessment of the Internal Revenue Service\n                                  Information Technology Program\n\n\n\n             Figure 4: Cyber Incidents Reported to the U.S. Computer\n        Emergency Readiness Team by Federal Agencies in Fiscal Year 2012\n\n                                                                       Number of       Percentage of\n                        Incident Category                              Incidents       Total Incidents\nNon-Cyber (Personally Identifiable Information spillage or\n                                                                            13,685                 28.0%\nmishandling for hardcopy or printed material)\nPolicy Violations (mishandling of data in storage or transit)                 9,194                18.8%\nMalicious Code (malware)                                                      8,847                18.1%\nEquipment (lost or stolen equipment)                                          8,057                16.5%\nSuspicious Network Activity                                                   2,918                 6.0%\nSocial Engineering (fraudulent websites or attempts to entice\n                                                                              2,459                 5.0%\nusers to provide sensitive information)\nImproper Usage (rule of behavior violations)                                   690                  1.4%\nUnauthorized Access (unprivileged users gain control of system\n                                                                               347                  0.7%\nor resource)\nDenial of Service (successful Denial of Service attacks)                         27                0.05%\nOther (low frequency incidents, such as unconfirmed third-party\n                                                                              2,618                 5.4%\nnotifications, failed attacks, or incident with unknown causes)\nTotal                                                                       48,842               100.0%\nSource: The OMB\xe2\x80\x99s Fiscal Year 2012 Report to Congress on the Implementation of the Federal Information\nSecurity Management Act of 2002, dated March 2013. Percentages do not add to 100 percent due to rounding.\n\n      Figure 5: Cyber Incidents Reported to the U.S. Computer Emergency\n     Readiness Team by the Department of the Treasury in Fiscal Year 2012\n\n\n\n\n Source: The OMB\xe2\x80\x99s Fiscal Year 2012 Report to Congress on the Implementation of the Federal Information\n Security Management Act of 2002, dated March 2013.\n\n                                                                                                    Page 7\n\x0c                          Annual Assessment of the Internal Revenue Service\n                                   Information Technology Program\n\n\n\nThe Office of Cybersecurity within the IRS IT organization is responsible for protecting\ntaxpayer information and the IRS\xe2\x80\x99s electronic systems, services, and data from internal and\nexternal cybersecurity threats by implementing world-class security practices in planning,\nimplementation, risk management, and operations. In September 2012, the IRS issued an\nupdated version of the Information Technology Program Plan.5 The plan addresses current\ninformation technology security issues and communicates to the IRS community the security\ninitiatives to resolve the Information Security Material Weaknesses,6 comply with Federal\nsecurity guidelines, and reduce security risk.\nThe plan uses the 13 information security elements contained in National Institute of Standards\nand Technology (NIST) Special Publication 800-1007 as the framework for the IRS Information\nSecurity Program. Under each program element, there is a brief description of its scope, the\ncurrent environment, and an encapsulation of ongoing security initiatives. The initiatives\nrepresent the actions that serve as a roadmap and a basis for benchmarking performance. The\ndocument captures what the IRS is doing to continuously improve its security posture.\nSince Security for Taxpayer Data and Employees is the highest management and performance\nchallenge, we performed audits to assess the IRS\xe2\x80\x99s efforts to protect its information systems and\ntaxpayer data. Some of these audits focused solely on what the IRS was doing to mitigate its\ninformation security risks. We also had audits whose objectives were primarily focused on\nmanagement of systems development or information technology operations/projects but included\nsecurity subobjectives. Therefore, some of the audits discussed below appear in two sections of\nthis report.\n\nThe IRS determined that information security should no longer be designated as\na material weakness but as a significant deficiency\nIn Calendar Year 1997, the IRS designated information security as a material weakness. The\ninformation security material weakness compromises the accuracy and availability of the IRS\nfinancial information and places sensitive information regarding IRS operations and taxpayers at\nrisk. In our 2012 annual assessment report,8 the IRS stated that it closed or completed corrective\nactions for eight of the nine information security material weakness components and planned to\nclose the remaining component by January 2014. During Fiscal Year 2013, the IRS revised its\nplans to close the remaining component by September 2014.\nIn November 2012, the GAO reported9 that during Fiscal Year 2012, the IRS continued to make\nimportant progress in addressing numerous deficiencies in its information security controls over\n\n5\n  The IRS issued the first plan in September 2009.\n6\n  Formerly called computer security material weaknesses.\n7\n  NIST, NIST Special Publication 800-100, Information Security Handbook: A Guide for Managers (Oct. 2006).\n8\n  TIGTA, Ref. No. 2012-20-120, Annual Assessment of the Internal Revenue Service Information Technology\nProgram p. 19 (Sept. 2012).\n9\n  GAO, GAO-13-120, IRS\xe2\x80\x99s Fiscal Years 2012 and 2011 Financial Statements Highlights page (Nov. 9, 2012).\n                                                                                                     Page 8\n\x0c                          Annual Assessment of the Internal Revenue Service\n                                   Information Technology Program\n\n\n\nits financial reporting systems. As a result, GAO considers information security, previously\nreported as a long-standing material weakness, to be a significant deficiency that continues to\nwarrant the attention of those charged with governance of the IRS.\nIn addition to the GAO\xe2\x80\x99s determination to downgrade information security to a significant\ndeficiency, the IRS provided a briefing and documents to TIGTA in August 2013 that detailed its\nother efforts and accomplishments to support the downgrade determination, which included:\n     \xef\x82\xb7   The IT organization\xe2\x80\x99s work and its progress on the Information Security Material\n         Weakness remediation plan; GAO\xe2\x80\x99s top nine concerns, which include specific financial\n         systems, security controls, and reliability on the IRS\xe2\x80\x99s monitoring of internal controls;\n         review of external systems that provide data in support to the IRS\xe2\x80\x99s financial statements;\n         and the annual Federal Information Security Management Act (FISMA) 10 assessment on\n         security metrics.\n     \xef\x82\xb7   The Chief Financial Officer\xe2\x80\x99s work on interim OMB Circular A-12311 testing to evaluate\n         internal controls effectiveness over financial reporting, annual assurance statements, and\n         IRS materiality determinations to better understand financial process workflows,\n         systemic and operational risks, mitigation steps, monitoring, and controls.\nUnlike previous years, the IRS did not request that TIGTA initiate a review to validate its efforts\nto support the downgrade determination. As a result, we are not in a position to concur or\ndisagree with the determination. However, the information provided appears to be very\ncomprehensive and detailed to support the downgrade.\nIn March 2013, the GAO reported12 that despite the progress made by the IRS, the GAO still\nfound access control deficiencies that reduced security over systems:\n     \xef\x82\xb7   Controls for identifying and authenticating users were inconsistently implemented.\n     \xef\x82\xb7   Inconsistent use of data encryption limited protection of sensitive information.\n     \xef\x82\xb7   Visitor physical access cards to restricted areas at one computing center provided\n         unauthorized access to other restricted areas within the center, and regular reviews of\n         individuals with an ongoing need to access restricted areas at one of the three computing\n         centers were not being conducted monthly to ensure that such access was still\n         appropriate.\n\n\n\n\n10\n   Pub. L. No. 107-347, Title III, 116 Stat. 2899, 2946-2961 (2002) (codified as amended in\n44 U.S.C. \xc2\xa7\xc2\xa7 3541-3549)\n11\n   OMB, OMB Circular No. A-123 (Revised), Management\xe2\x80\x99s Responsibility for Internal Control (Dec. 2004)\n12\n   GAO, GAO-13-350, IRS Has Improved Controls but Needs to Resolve Weaknesses pp. 11-13, 15, and 18\n(March 15, 2013).\n                                                                                                     Page 9\n\x0c                          Annual Assessment of the Internal Revenue Service\n                                   Information Technology Program\n\n\n\nThe GAO report continued by stating that a key reason for the information security weaknesses\nin the IRS\xe2\x80\x99s financial and tax-processing systems was that, although the IRS has developed and\ndocumented a comprehensive agencywide information security program, it had not effectively\nimplemented certain elements of its information security program. For example (not all\ninclusive):\n     \xef\x82\xb7   Inconsistent system configurations resulted in preventable vulnerabilities. Eight of\n         19 servers reviewed lacked a security setting to enforce standard configuration updates,\n         resulting in weaker controls for these servers.\n     \xef\x82\xb7   The agency\xe2\x80\x99s automated change management process could be circumvented because\n         individuals had privileges that allowed them to make changes to mainframe applications.\n     \xef\x82\xb7   The IRS did not always apply patches to its systems in a timely manner. For example, a\n         database supporting tax account processing had not been patched for several months\n         despite the issuance of critical patches, and another database used for operations support\n         was missing key patches. IRS officials stated that these situations resulted from\n         restrictions on making changes to systems during the tax filing season. Other servers\n         were also not patched due to system performance problems.\n     \xef\x82\xb7   The IRS\xe2\x80\x99s audit and monitoring policies and procedures did not comprehensively address\n         users accessing files used by one processing environment from a different environment.\n     \xef\x82\xb7   The IRS\xe2\x80\x99s security standards for systems that support tax processing and financial\n         management contained information that was several years out of date, which had resulted\n         in less secure system configurations.\nThe GAO also reported that the IRS had a process in place for evaluating and tracking remedial\nactions, but it did not always effectively validate that corrective actions had been taken or\nwhether the actions addressed the weakness. The Internal Revenue Manual requires that the IRS\ntrack the status of resolution of all weaknesses and verify that each weakness has been corrected\nbefore closing it. During the GAO audit period, March 2012 through March 2013, the IRS\ninformed the GAO that it had addressed 58 of the 118 previous GAO information system\nsecurity recommendations that remained unresolved at the end of the prior audit. However, the\nGAO determined that 13 (about 22 percent) of the 58 had actually not yet been fully resolved.13\nThe GAO previously made a recommendation in March 2007 to the IRS for it to revise its\nverification process to ensure that actions are fully implemented.14\nDuring a similar review to determine whether closed corrective actions to security weaknesses\nand findings reported by TIGTA have been fully implemented, validated, and documented as\n\n\n13\n  GAO, GAO-13-350, IRS Has Improved Controls but Needs to Resolve Weaknesses p. 22 (March 15, 2013).\n14\n  GAO, GAO-07-364, Information Security: Further Efforts Needed to Address Significant Weaknesses at the\nInternal Revenue Service p. 23 (March 30, 2007).\n                                                                                                    Page 10\n\x0c                            Annual Assessment of the Internal Revenue Service\n                                     Information Technology Program\n\n\n\nimplemented,15 we found that eight (42 percent) of the 19 planned corrective actions had not\nbeen fully implemented and should not have been closed. These planned corrective actions\ninvolved systems containing taxpayer data. For the eight planned corrective actions, we found\nthe following internal control deficiencies.\n       \xef\x82\xb7   For five planned corrective actions, the supporting documentation did not fully support\n           the closed corrective action. In the remaining three planned corrective actions, we were\n           not provided any documentation to support the closure of the corrective action.\n       \xef\x82\xb7   For four planned corrective actions, the update and closure form did not include the\n           appropriate executive approval.\n       \xef\x82\xb7   For all eight planned corrective actions, the office responsible for monitoring internal\n           control weaknesses did not audit the corrective actions to ensure implementation and\n           proper closure.\nOur audit report provided six recommendations to address these issues.\nThe Federal Government has a duty to secure Federal information and information systems and\nprotect against threats (e.g., unauthorized access to systems or data) posed by security\nweaknesses. The FISMA requires agencies to provide information security protections\ncommensurate with risks and their potential harms to Federal information. We completed our\nmandatory review of the FISMA16 and found that the IRS generally complied with nine of\n11 requirements on its information security programs and practices. Based on our and the\nGAO\xe2\x80\x99s recent reports, the IRS should improve its efforts to promptly resolve findings and\ndocument the actions taken to close the corrective actions.\n\nWeaknesses in security of operations programs, Internet access, and new\ntechnologies\nInformation security services and products are essential elements of an organization\xe2\x80\x99s\ninformation security program. The selection of services and products is an integral part of the\ndesign, development, and maintenance of an information technology security infrastructure that\nensures confidentiality, integrity, and availability of mission-critical information. Information\nsecurity services and product acquisition encompasses the selection of services and products that\nare used as operational or technical security controls for the IRS\xe2\x80\x99s information technology\nsystems. The following are the audits that reported information security issues.\nTrusted Internet Connections: This initiative is intended to improve cybersecurity and the\nsecurity of Federal information systems. The primary goals are (1) to consolidate and secure\n\n\n\n15\n     See Appendix IV, Ref. No. 2013-20-117.\n16\n     See Appendix IV, Ref. No. 2013-20-128.\n                                                                                               Page 11\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\nFederal agency external connections using a common set of security controls and (2) to improve\nthe Federal Government\xe2\x80\x99s incident response capability.\nDuring our review of the IRS\xe2\x80\x99s implementation of this initiative,17 we found that in\nFebruary 2013 the Department of Homeland Security conducted a Cybersecurity Capability\nValidation assessment of two of the three IRS Trusted Internet Connections and reported that\neach met 68 (92 percent) of the 74 capabilities required. Although the IRS has made good\nprogress implementing the requirements for this initiative, our review revealed areas where\nimprovements could strengthen security.\n     \xef\x82\xb7   The IRS was not capturing audit logs of administrator activity on servers, firewalls, or\n         routers. Audit logs containing information on activities by administrators on Trusted\n         Internet Connection devices provide a means to establish individual accountability.\n         Without an effective system for the capture and review of administrator activity,\n         accountability for actions taken on equipment cannot be established and unauthorized\n         activity may go undetected.\n     \xef\x82\xb7   A Data Loss Prevention system designed to detect potential data breach transmissions\n         and prevent them by monitoring, detecting, and blocking sensitive data while in use\n         (endpoint actions), in motion (network traffic), and at rest (data storage) was not in\n         place.\n     \xef\x82\xb7   The IRS does not have a sufficient number of operational employees with appropriate\n         security clearances for handling classified information.\n     \xef\x82\xb7   The IRS does not have a Sensitive Compartmented Information Facility18 at any of its\n         three Trusted Internet Connection locations as required. A Sensitive Compartmented\n         Information Facility is a secured area within a building that is used to process sensitive\n         compartmented information.\n     \xef\x82\xb7   Although the IRS has generally configured firewalls and routers securely, we found\n         instances where firewalls or routers were not configured in compliance with required\n         baseline configuration settings.\n     \xef\x82\xb7   The IRS has eight servers running outdated versions of the operating system. Outdated\n         operating systems increase the risk of attacks that exploit known vulnerabilities, resulting\n         in unauthorized access or loss of IRS data.\nOur audit report provided six recommendations to address these issues.\n\n\n17\n  See Appendix IV, Ref. No. 2013-20-107.\n18\n  Office of the Director of National Intelligence, Intelligence Community Directive Number 705, Sensitive\nCompartmented Information Facilities (May 26, 2010), established the uniform physical and technical requirements\nwith which facilities must comply in order to be accredited as a Sensitive Compartmented Information Facility.\n                                                                                                       Page 12\n\x0c                        Annual Assessment of the Internal Revenue Service\n                                 Information Technology Program\n\n\n\nTreasury Enhanced Security Initiatives: This project was implemented to enable the IRS to\ncomply with the OMB\xe2\x80\x99s mandate18 to continuously monitor security settings on computer\nworkstations and identify and address security settings that have been altered. We found19 that\nthe project, which includes the continuous monitoring tool for workstation security, will address\nseveral computer security weaknesses on employee workstations. Our audit report did not\ninclude any security recommendations.\nVirtualized Environment: Server virtualization is a technology that allows several \xe2\x80\x9cvirtual\xe2\x80\x9d\nservers to run on one physical host server (hereafter referred to as \xe2\x80\x9chost\xe2\x80\x9d), as illustrated in\nFigure 6. The technology helps organizations utilize their existing hardware infrastructure more\neffectively.\n                       Figure 6: Illustration of Server Virtualization\n\n\n\n\n     Source: TIGTA, Ref. No. 2013-20-106, Automated Monitoring Is Needed for the Virtual\n     Infrastructure to Ensure Secure Configurations p. 1 (Sept. 2013).\n\nOur review of the security over the IRS\xe2\x80\x99s virtualized environment20 found that the IRS developed\na comprehensive policy that establishes the minimum security controls to prevent unauthorized\naccess to IRS information systems hosted in its virtualization environment. The IRS has been\n\n\n\n18\n   OMB, OMB Memorandum M-07-11, Implementation of Commonly Accepted Security Configurations for\nWindows Operating Systems (March 22, 2007).\n19\n   See Appendix IV, Ref. No. 2013-20-016.\n20\n   See Appendix IV, Ref. No. 2013-20-106.\n                                                                                              Page 13\n\x0c                            Annual Assessment of the Internal Revenue Service\n                                     Information Technology Program\n\n\n\nsuccessful in its continual efforts to expand its virtual server environment. As a result, the IRS\nimproved server efficiency and realized significant cost savings. However, we found that:\n       \xef\x82\xb7   Security configuration settings on virtual hosts were not in accordance with IRS policy\n           and the hosts were not timely patched to address known security vulnerabilities.\n       \xef\x82\xb7   Twelve (43 percent) of 28 required security controls on 16 hosts we tested were failed by\n           three or more hosts. In addition, 10 (63 percent) of the 16 hosts were missing a total of\n           48 security patches.\n       \xef\x82\xb7   Audit logs capturing administrator activity on certain hosts and servers were not being\n           collected and reviewed as required. Without the proper capture and review of\n           administrator activity, accountability for actions taken on hosts cannot be established and\n           unauthorized activity may go undetected. Moreover, the IRS could have a security\n           breach in the virtual environment and not be aware of it.\nOur audit report provided three recommendations to address these issues.\neAuthentication: RRA 98 requires the IRS to allow taxpayers to access tax account information\nonline. The objective of the IRS eAuthentication Project is to design and build a common\nservice to proof and register individuals and to provide and validate credentials for ongoing\nsystem access using the Internet.\nDuring our review,21 we determined that eAuthentication Release 1 has limited audit reporting\nfunctionality. While actions taken by users within the eAuthentication application are identified\nby user identification, these actions are not associated to a user\xe2\x80\x99s actual name and therefore\ncannot be associated to a specific taxpayer. In addition, the user information captured by the\napplication may contain Personally Identifiable Information and therefore must be encrypted\nwhen it is stored on the server. The IRS does not have a mechanism to make the encrypted data\nreadable, but it does have a tool that can log auditable events for each taxpayer transaction that\ndoes track the individual with his or her Social Security Number. These transactions are\navailable for designated security and audit individuals but not generally available for\nmanagement review.\nFor eAuthentication Release 2, the project team plans to use a suite of products to meet the\nreporting requirements. This capability should enable the project team to provide stakeholders\naccess to more useful reports for both customer usage reporting and process effectiveness\npurposes. Without adequate reporting functionality, the IRS is only able to see minimal details\nabout taxpayers using the eAuthentication application. The expanded reporting functionality\nshould provide the IRS with application-specific reports, taxpayer account reports, and system\ninfrastructure reports. Our audit report provided one recommendation to address this issue.\n\n\n21\n     See Appendix IV, Ref. No. 2013-20-127.\n                                                                                              Page 14\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\nBring Your Own Device (BYOD) Pilot Project: BYOD is a popular trend in mobile computing\nthat allows users to access network resources on their personal mobile devices, such as\nsmartphones. The IRS is currently piloting a limited BYOD effort22 that allows BYOD\nparticipants access to e-mail, calendaring, and some web-based internal IRS applications, but\ntechnical limitations prevent users from interfacing with many IRS internal systems. One\ndrawback of a BYOD program is that BYOD devices are subject to distinctive threats and often\nneed additional protection because their nature generally places them at higher exposure to\nthreats than other devices, e.g., desktop and laptop devices used only within the organization\xe2\x80\x99s\nfacilities and on the organization\xe2\x80\x99s networks.23\nDuring our review of the IRS\xe2\x80\x99s BYOD Pilot Project,24 we found that the IRS considered and\nimplemented security measures when it implemented its BYOD pilot; however, increased\nattention is still needed to address security concerns related to the participants in the pilot.\n     \xef\x82\xb7   Because the BYOD pilot takes place in the production environment, standard security\n         controls should apply. The IRS is unable to fully implement Federal and IRS security\n         guidance with respect to BYOD devices. Thus, we believe BYOD devices should only\n         be allowed to access e-mail functions and should not be allowed to access other IRS\n         network resources.\n     \xef\x82\xb7   The IRS allows devices based on the Android\xc2\xae operating system to participate in the\n         BYOD pilot, even though these devices are more subject to malware than the Apple\xc2\xae\n         devices tested in earlier phases.\n     \xef\x82\xb7   Access audit trails are not retained or reviewed in compliance with IRS policy. If audit\n         trails are not available or are not reviewed, unauthorized accesses may occur and not be\n         detected.\n     \xef\x82\xb7   BYOD participants are not receiving periodic refresher training specific to BYOD threats\n         and recommended security practices. Without periodic training, the IRS has no assurance\n         that users are knowledgeable about elevated loss and theft rates of smartphones, how to\n         identify potentially dangerous applications, and other mobile device security issues.\nOur audit report provided four recommendations to address these issues.\n\n\n\n\n22\n   The IRS currently refers to its BYOD pilot as a \xe2\x80\x9ctechnology demonstrator,\xe2\x80\x9d which is meant to distinguish BYOD\nas a provisional initiative or prototype, thus differentiating it from formal pilots or large-scale information\ntechnology initiatives for which the IRS uses a well-established investment decision and enterprise life cycle\nmethodology. The word \xe2\x80\x9cpilot\xe2\x80\x9d is used in the report in a general sense for ease of understanding.\n23\n   NIST, NIST Special Publication 800-124 Revision 1, Guidelines for Managing the Security of Mobile Devices in\nthe Enterprise (June 2013).\n24\n   See Appendix IV, Ref. No. 2013-20-108.\n                                                                                                        Page 15\n\x0c                          Annual Assessment of the Internal Revenue Service\n                                   Information Technology Program\n\n\n\nSecurity and systems development\nAccording to a March 2013 GAO report,25 the IRS applies information technology to help\nachieve its missions and provide information and services to the public, but extensive reliance on\ncomputerized information also creates challenges in securing that information from various\nthreats. Information security is especially important for government agencies, where\nmaintaining the public\xe2\x80\x99s trust is essential. As a component of overall system security, security\ncontrols should be addressed when developing a new system (e.g., during the design and\nrequirements development phases) or revising an existing system to mitigate information\nsecurity risks.\nThe GAO describes these controls as general controls (security management, access controls,\nconfiguration management, segregation of duties, and contingency planning), business process\napplication controls (input, processing, output, master file, interface, and data management\nsystem controls), and user controls (controls performed by people interacting with information\nsystems). Without proper safeguards, computer systems are more vulnerable to individuals and\ngroups with malicious intentions who can intrude and use their access to obtain sensitive\ninformation, commit fraud, disrupt operations, or launch attacks against other computer systems\nand networks. During this reporting period, information security control weaknesses were\nidentified in several of our systems development audits.\nIntegrated Financial System (IFS): The IRS\xe2\x80\x99s core financial system annually accounts for\napproximately $12 billion in operational funds. During our review,26 we found that updates for\nthe system were completed as planned to address compliance for specific information technology\nsecurity controls. For example, one update provided data encryption and eliminated security\nweaknesses in the Citrix\xc2\xae and Windows\xc2\xae 2000 environments no longer supported by the vendor.\nHowever, improvements are needed to better ensure that remaining system security weaknesses\nare addressed. We reported that:\n     \xef\x82\xb7   Users have access to Personally Identifiable Information without a business need. In\n         addition, 110 users have access to the 1099 and W-2 data for some IRS employees and\n         vendors without reasonable access control checks in place. Such controls would identify\n         or prevent a user viewing another IRS employee\xe2\x80\x99s tax information.\n     \xef\x82\xb7   The data encryption tool complies with Federal guidance, but it is not yet certified for\n         validation.\n     \xef\x82\xb7   The system does not yet provide for multifactor authentication.\nOur audit report provided four recommendations to address these issues.\n\n\n25\n   GAO, GAO-13-350, IRS Has Improved Controls but Needs to Resolve Weaknesses pp. 3, 4, and 6\n(March 15, 2013).\n26\n   See Appendix IV, Ref. No. 2013-20-030.\n                                                                                                Page 16\n\x0c                          Annual Assessment of the Internal Revenue Service\n                                   Information Technology Program\n\n\n\nIncome and Family Size Verification (IFSV) Project: The IFSV Project is one of six core\nACA Program projects being implemented in October 2013. It will support open enrollment by\nverifying income and family size for individuals requesting eligibility for the Advanced Premium\nTax Credit for health insurance. During our review,27 we found that, within a new iterative\nsystem development approach, the IRS had developed a security plan intended to protect\ntaxpayer data and also incorporated FISMA and NIST guidelines. We did not make any\nrecommendations directly related to information security controls.\nPremium Tax Credit Project: Provisions of the ACA include a refundable credit, referred to as\nthe Premium Tax Credit, for eligible individuals to assist with paying health insurance\npremiums. In addition, the IRS\xe2\x80\x99s implementation plan for ACA Exchange provisions includes\nproviding information that will support eligibility and enrollment functions. Like the IFSV\nProject, the Premium Tax Credit Project is managed under the IRS ACA Program. The project\nincludes all processes related to the development of the Premium Tax Credit Computation\nEngine in support of the implementation of Advanced Premium Tax Credit capabilities. During\nour observation of security testing,28 Cybersecurity management ensured that tests were\nconducted in accordance with the NIST requirements and Internal Revenue Manual guidelines.\nHowever, the configuration baselines and settings for specific controls were not adequately\ntested. Because Cybersecurity did not stipulate specific corrective actions for failed tests and\nknown risks associated with the component misconfiguration, we could not verify that known\nrisks associated with component misconfigurations have been consistently addressed for the\nproject.\nWe reported that change management guidelines were also not consistently followed to withdraw\napproved baseline security requirements. Specifically, the change request and impact assessment\nprepared to withdraw the security requirements only included one of the seven baseline\nrequirements removed. If change management guidelines are not properly followed,\nmanagement may not be able to determine the potential impact of changed requirements on the\nsecurity controls for the Premium Tax Credit Computation Engine, which could negatively affect\nfunctionality or delay deployment of the Premium Tax Credit Project. Our audit report provided\ntwo recommendations to address these issues.\nKnowledge, Incident/Problem, Service Asset Management \xe2\x80\x93 Asset Manager (KISAM-AM):\nThe KISAM-AM is the sole authoritative source and official inventory record for all information\ntechnology assets within the IRS [with the exception of information technology software assets\n(to include software and software licenses)]. We conducted tests to ensure that sufficient system\ncontrols were in place to protect access to the KISAM system data.29 Our tests determined that\nthe KISAM-AM application, database, and operating system complied with the IRS\xe2\x80\x99s password\n\n\n27\n   See Appendix IV, Ref. No. 2013-23-034.\n28\n   See Appendix IV, Ref. No. 2013-23-119.\n29\n   See Appendix IV, Ref. No. 2013-20-089.\n                                                                                         Page 17\n\x0c                            Annual Assessment of the Internal Revenue Service\n                                     Information Technology Program\n\n\n\nmanagement requirements. However, our review of the switch user log (audit log) identified\nthree individuals who accessed the KISAM system database using a system account and without\na need to know. These three individuals are not database administrators and should not have\naccess to the database system account or the password for the account. This suggests that a\nsecurity weakness exists within the KISAM-AM system infrastructure, and we cannot be assured\nthat the data within the KISAM-AM system is protected from accidental or malicious altering.\nOur audit report provided a recommendation to address this issue.\nForeign Financial Institution Registration System (FRS): Development and implementation\nof the FRS is underway to support requirements of the Foreign Account Tax Compliance Act\n(FATCA).30 If successful, the FRS would help to significantly improve taxpayer compliance\ninternationally and thus enhance IRS tax administration under the FATCA provisions. Through\nthe FRS, Foreign Financial Institutions will register and provide offshore account information\nreporting to the IRS. Our audit31 found that security controls need improvement to ensure\nlong-term success for this new international system. Specifically, the IRS needs to ensure that\nsystem test plans are completed so that all security requirements, controls, and test cases are\nidentified, traced, and tested. Without improvements in risk mitigation controls during\ndevelopment of this new system, the IRS may not be able to adequately determine whether:\n     \xef\x82\xb7   The Security Controls Assessment Test Plan included adequate security controls prior to\n         deployment of the FRS.\n     \xef\x82\xb7   System security controls aligned with NIST guidance, IRS requirements and testing\n         manuals, and other applicable standards.\n     \xef\x82\xb7   The Security Controls Assessment Test Plan contained test cases for all the system\n         security requirements.\n     \xef\x82\xb7   The test cases were mapped to the security controls.\nOur audit report provided one recommendation to address this issue.\nCADE 2 database: The CADE 2 program implements a single data-centric solution that\nprovides daily processing of taxpayer accounts. The first phase is Transition State 1, which\nestablishes the target CADE 2 data model and database and uses the data to provide individual\ntaxpayer account information to select systems. The Transition State 1 solution will also\nimplement required security controls and begin to address identified security weaknesses.\nOur review of security controls in the system development activities for the CADE 2 database32\nfound that the lack of security systems integration prevents transaction-level tracking of\nemployee access to the CADE 2 database. The CADE 2 \xe2\x80\x93 Corporate Files Online/Individual\n\n30\n   Pub. L. No. 111-147, Subtitle A, 124 Stat 71, 96-116 (2010)(codified in scattered sections of 26 U.S.C.).\n31\n   See Appendix IV, Ref. No. 2013-20-118.\n32\n   See Appendix IV, Ref. No. 2013-20-125.\n                                                                                                               Page 18\n\x0c                              Annual Assessment of the Internal Revenue Service\n                                       Information Technology Program\n\n\n\nMaster Files Online systems interface uses two security systems to provide user authentication\nand access control and auditing functionality.\nWe attempted to trace a transaction from a Corporate Files Online/Individual Master Files\nOnline system data call to the CADE 2 database and were unable to follow the transaction once\nit passed through the Data Access Service system account. Not having transaction-level tracking\nof employee access to the CADE 2 database can allow unauthorized access to taxpayer data to go\nundetected by audit logs. Our audit report provided one recommendation to address this issue.\nPrivacy\nWithin the Federal Government, privacy is defined as an individual\xe2\x80\x99s expectation that his or her\npersonal information collected for official Government business will be protected from\nunauthorized use and access. During our review33 of the IRS\xe2\x80\x99s implementation of the privacy\nprovisions of the E-Government Act of 2002,34 we found that the IRS implemented the Privacy\nImpact Assessment Management System in December 2011 to automate the process of\ncompleting Privacy Impact Assessments in a more efficient and less time-consuming way. We\ndetermined that the Privacy Compliance office analysts effectively conducted in-depth quality\nreviews of completed Privacy Impact Assessments submitted by system and program owners.\nFurther, the Privacy and Information Protection office complied with the updated privacy\nreporting requirements by preparing and submitting required reports to the Department of the\nTreasury.\nDespite its commitment toward privacy and improvements from our prior review, the IRS\ncontinues to face challenges in meeting legislative privacy requirements. Specifically, we found\nthat Privacy Impact Assessments:\n       \xef\x82\xb7   Had not been completed or updated for all systems or customer surveys where taxpayer\n           or employee information have been collected and maintained.\n       \xef\x82\xb7   Had not been posted to the IRS\xe2\x80\x99s public website.\n       \xef\x82\xb7   May not have been completed and submitted for internal SharePoint collaboration sites.\nOur report provided 11 recommendations to address the privacy issues.\nTo summarize, although the IRS may have closed many of its information security weaknesses\nidentified in the past, we and the GAO continue to identify similar or new security weaknesses in\nour recent audits of information technology initiatives and operations. For example, improper\nsecurity configuration control settings were found during the Premium Tax Credit, Treasury\nInternet Connections initiative, and Virtualized Environment audits. Issues with capturing and\nreviewing audit trail logs were found during the Treasury Internet Connections initiative,\n\n\n33\n     See Appendix IV, Ref. No. 2013-20-023.\n34\n     Pub. L. No. 107-347, \xc2\xa7 208, 116 Stat. 2899 (2002).\n                                                                                           Page 19\n\x0c                            Annual Assessment of the Internal Revenue Service\n                                     Information Technology Program\n\n\n\nVirtualized Environment, BYOD, and CADE 2 audits. These findings, along with continued\ncyberattacks against Government systems, bring us to conclude that the IRS needs to continue\nefforts to reduce its security vulnerabilities.\n\nSystems Development Projects to Support Modernization, Tax\nLegislation Changes, and Tax Compliance Initiatives\nThe Business Systems Modernization Program (hereafter referred to as the Modernization\nProgram) is a major undertaking and involves a complex effort to modernize IRS technology and\nrelated business processes. When the program stood up, estimates were that this initiative would\nlast up to 15 years. Now in its 15th year and with IRS budget information from March 2013\nindicating a budget of over $426 million, the Modernization Program continues to make\nimprovements in electronic tax administration with projects like the Modernized e-File and\nCADE 2.\nThe IRS\xe2\x80\x99s modernization efforts also include modernizing taxpayer applications that allow\ntaxpayers to communicate with the IRS through the Internet, developing a shared infrastructure\nand common business service solutions usable across multiple modernization projects, and\nensuring that systems solutions meet business needs and effectively integrate modernization\nprojects and programs. Building on last year\xe2\x80\x99s organizational shift incorporating modernization\ninto the overall portfolio, the IRS\xe2\x80\x99s IT organization renamed the Modernization Program\nManagement Office and Applications Development organization to the Enterprise Program\nManagement Office and Enterprise Applications Development, respectively. Successful\nmodernization of IRS systems and the development and implementation of new information\ntechnology applications is necessary to meet evolving business needs and ensure the long-term\nviability of IRS tax processing systems.\nIn February 2013, the GAO reported that it removed the Modernization Program from its High\nRisk List.35 The GAO removed this program because:\n       \xef\x82\xb7   Progress was made in addressing significant weaknesses in information technology and\n           financial management capabilities.\n       \xef\x82\xb7   The IRS delivered the initial phase of its cornerstone tax processing project and began the\n           daily processing and posting of individual taxpayer accounts in January 2012. This\n           enhanced tax administration and improved service by enabling faster refunds for more\n           taxpayers, allowing more timely account updates, and providing faster issuance of\n           taxpayer notices.\n\n\n\n\n35\n     GAO, GAO-13-359T, GAO\xe2\x80\x99s High Risk Series \xe2\x80\x93 An Update, p.2 (Feb. 2013).\n                                                                                              Page 20\n\x0c                       Annual Assessment of the Internal Revenue Service\n                                Information Technology Program\n\n\n\n   \xef\x82\xb7   The IRS has put in place close to 80 percent of the practices needed for an effective\n       investment management process, including all of the processes needed for effective\n       project oversight.\n   \xef\x82\xb7   The IRS had embarked on an effort to improve its software development practices using\n       the Carnegie Mellon University Software Engineering Institute\xe2\x80\x99s Capability Maturity\n       Model Integration, which calls for disciplined software development and acquisition\n       practices that are considered industry best practices. In September 2012, the IRS\xe2\x80\x99s\n       application development organization reached Capability Maturity Model Integration\n       Maturity Level 3, a high achievement by industry standards.\nAlthough the GAO removed the Modernization Program from its High Risk List, we believe the\nprogram remains a high risk and major management challenge for the IRS because of the needs\nfor improvements in information technology practices and performance. Some of these areas of\nimprovement are discussed below.\nTo help meet its business needs, the IRS IT organization developed the Integrated Release Plan.\nThis document is an evolving business planning tool that merges information about the\ntechnology roadmap, release/capacity management, and budget. According to the IRS\xe2\x80\x99s\nIT organization, the objectives of the Integrated Release Plan include:\n   \xef\x82\xb7   Supporting continuous engagement with the non\xe2\x80\x93information technology side of the IRS.\n   \xef\x82\xb7   Improving alignment of information technology investments, service, and delivery with\n       IRS strategic goals.\n   \xef\x82\xb7   Facilitating enterprisewide \xe2\x80\x9cearly warning\xe2\x80\x9d of risks and issues on essential projects.\n   \xef\x82\xb7   Enhancing situational awareness and enabling the IT organization to manage risks,\n       resource contention, and tradeoff decisions.\n\nThe Modernized e-File system helps deliver the filing season\nThe Modernized e-File system is the IRS electronic filing system that enables real-time\nprocessing of tax returns while improving error detection, standardizing business rules, and\nexpediting acknowledgements to taxpayers. It is a critical component to meet the needs of\ntaxpayers, reduce taxpayer burden, and broaden the use of electronic interactions. The IRS\nmodified the scope for Modernized e-File Release 8 to focus on correcting the performance\nissues identified during Release 7 and delayed the implementation of new business taxpayer\nforms to Release 9.\n\n\n\n\n                                                                                           Page 21\n\x0c                          Annual Assessment of the Internal Revenue Service\n                                   Information Technology Program\n\n\n\nDuring last year\xe2\x80\x99s review of the Modernized e-File system,36 we recommended that the IRS defer\nthe retirement of the Legacy e-File system. During this year\xe2\x80\x99s review,37 we found that the IRS\ntook important steps before the 2013 Filing Season to correct the system performance issues that\noccurred during the 2012 Filing Season. The IRS increased the Release 8 test requirement for\nthe Performance Evaluation Testing Environment database by implementing a copy of the\nModernized e-File system production database. This production-sized database contained\n23.1 million records, up from the 6.6 million records required for Release 7 testing. By doing so,\nthe IRS leveraged data from the production-sized database to help it obtain the required amount\nof data needed to execute sustained performance testing. The IRS also implemented\nenhancements to improve the delivery of files to downstream systems and increased the capacity\nof the portal to guard against a decrease in overall performance.\n\nDevelopment of a new Return Review Program system is necessary to mitigate\nfraud risks affecting the IRS\xe2\x80\x99s environment for electronic tax administration\nThe IRS is developing a new Return Review Program system to implement its emerging business\nmodel for a coordinated criminal and civil tax noncompliance system. Once developed and\nimplemented, the new system will significantly enhance the IRS\xe2\x80\x99s capabilities to prevent, detect,\nand resolve tax refund fraud, including identity theft. The IRS\xe2\x80\x99s current system used to detect\nfraud is the Electronic Fraud Detection System. At the time of our review, the IRS had\ndetermined that the Electronic Fraud Detection System, which was implemented in 1994, is\noutdated and would be inefficient to maintain, upgrade, or operate beyond Calendar Year 2015.\nSuccessful implementation of the new Return Review Program system would increase the dollar\namount of fraudulent tax refunds identified annually.\nDuring our review of the Return Review Program,38 we found that the roles for program-level\ngovernance were not yet established and that the key role of system integrator was not\ndocumented or clearly communicated. From January to December 2012, prototype activities\nwere conducted to validate that technology product solutions integrated successfully. However,\nReturn Review Program Prototype Management Plans, critical systems development products,\nwere not completed or approved by major stakeholders before significant resources were\ncommitted. Uncertainty about the systems development path for the Return Review Program\nand the absence of Enterprise Life Cycle guidance for prototypes hindered initial systems\ndevelopment efforts. Further, alternative commercial software products were not fully\nconsidered prior to selecting technology solutions for the Return Review Program system. Our\n\n\n\n36\n   TIGTA, Ref. No. 2012-20-121, Despite Steps Taken to Increase Electronic Returns, Unresolved Modernized\nE-File System Risks Will Delay the Retirement of the Legacy e-File System and Implementation of Business Forms\n(Sept. 2012).\n37\n   See Appendix IV, Ref. No. 2013-20-029.\n38\n   See Appendix IV, Ref. No. 2013-20-063.\n                                                                                                       Page 22\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\nreport provided six recommendations to address our findings on initial development activities for\nthe Return Review Program system.\nThe National Taxpayer Advocate\xe2\x80\x99s Annual Objectives Report to Congress39 recently cited\nconcerns about the implementation of the Return Review Program system. The report stated:\n        \xe2\x80\xa6the IRS is now forced to consider non-deployment or a limited deployment\n        of RRP [Return Review Program]. On January 15, 2013, the Information\n        Technology division reported that it did not have enough resources available to\n        bring RRP online by the January 1, 2015, deadline. Even with the additional\n        resources, the IRS would still need another year (until January 1, 2016) to\n        complete the system.\n        Not deploying the RRP as intended could impose significant harm and cost on\n        both the IRS and the public. An unexpected failure of the EFDS system\n        [Electronic Fraud Detection System] would force the IRS to decide whether to\n        stop issuing refunds until the system could be repaired, or issue billions of dollars\n        in potentially fraudulent refunds without screening. In addition, as EFDS\n        becomes harder to update and maintain, it could erroneously stop an increasing\n        number of valid refunds. The lack of automation to handle administrative\n        adjustments and actions is straining the IRS\xe2\x80\x99s limited resources as fraud and\n        identity theft grow and staffing declines.\n\nThe FATCA aims to improve international compliance\nThe FATCA is an important development in the U.S. efforts to improve tax compliance\ninvolving foreign financial assets and offshore accounts.40 Changes required by the FATCA will:\n(1) combat tax evasion by U.S. persons holding investments in offshore accounts, (2) expand the\nIRS\xe2\x80\x99s global presence, (3) pursue international tax and financial crimes, (4) fill a gap in the IRS\xe2\x80\x99s\ninformation reporting system, and (5) generate additional enforcement revenue. The Department\nof the Treasury issued the final FATCA regulations on January 28, 2013.\nDuring our review,41 we found that the IRS is developing the FRS within its new Enterprise Life\nCycle Iterative Path systems development and testing process. The initial system release was\nsubstantially developed and nearing deployment when the IRS terminated the effort in\nNovember 2012. Following new Department of the Treasury regulations, changes with\nintergovernmental agreements, and new processes needed to implement the FATCA, the IRS\nwas unable to fully utilize the initial system. Subsequently, the IRS modified and expanded the\nscope of the system requirements. The major redesign and initiation of a new development effort\n\n39\n   National Taxpayer Advocate, Fiscal Year 2014 Objectives Report to Congress (June 2013).\n40\n   The FATCA legislation was enacted as part of the Hiring Incentives to Restore Employment Act; Pub. L. No.\n111-147, 124 Stat. 71 (2010).\n41\n   See Appendix IV, Ref. No. 2013-20-118.\n                                                                                                       Page 23\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\nwas necessary because the IRS did not sufficiently develop requirements for the initial FRS as\nneeded for new system development. We identified a potential inefficient use of resources of\n$2.2 million based on the IRS exceeding its original cost estimate of $14.4 million to develop\nand deploy the FRS.\nFurther, while the IRS has taken steps to improve management controls for this major\ninformation technology investment, additional improvements are needed to ensure consistent risk\nmitigation within program management processes, testing practices, and system requirements\nmanagement. Our report provided six recommendations to address these issues.\n\nCADE 2 system\nThe CADE 2 program is one of the top information technology modernization projects in the\nIRS. The CADE 2 mission is to provide state-of-the-art individual taxpayer account processing\nand data-centric technologies to improve service to taxpayers and enhance tax administration.\nCADE 2 will replace the current Individual Master File account settlement system with a\nrelational database processing system and become a key component in the IRS\xe2\x80\x99s enterprisewide,\ndata-centric information technology strategy.\nTransition State 1 has two major implementation pieces: Daily Processing and Database\nImplementation. Daily Processing, which uses the Individual Master File and not the CADE 2\ndatabase, went into production in January 2012. Figure 8 shows the difference in daily\nprocessing from CADE to CADE 2.\n              Figure 8: Comparison of CADE and CADE 2 Daily Processing\n\n\n\n\nSource: IRS IT organization, Fiscal Year 2013 3rd Quarter IT Investment Report Version 2.2, dated June 30, 2013.\n\nThe March 2013 Information Technology Business Value Chart reported that as of\nMarch 28, 2013, CADE 2 Transition State 1 Daily Processing posted over 72.65 million returns\n                                                                                                        Page 24\n\x0c                            Annual Assessment of the Internal Revenue Service\n                                     Information Technology Program\n\n\n\nand issued 66.54 million refunds totaling in excess of $174.43 billion. With the CADE 2\nTransition State 1 Daily Processing cycle, the IRS can process returns faster and IRS customer\nservice representatives can more quickly access and update taxpayer records to resolve\ndiscrepancies.\nDatabase Implementation, while not fully implemented, developed a relational database to store\nindividual taxpayer account data migrated from Individual Master File tape files on a daily basis.\nIn March 2012, the IRS initialized version 2.1 of the CADE 2 database with 270 million\nindividual taxpayer accounts and more than a billion tax modules. The IRS completed a second\ndatabase initialization in October 2012 and kept the database current and in sync with the\nIndividual Master File data through December 2012.\nDuring our review42 of the database deployment, we found that the CADE 2 database\ncross-functional triage team effectively managed and resolved more than 1,000 data defects.\nHowever, our review determined that the downstream system interfaces were not implemented\nbecause of data quality issues that exist with the CADE 2 database. The interfaces were also not\nimplemented by the June 2013 revised date, which had a revised estimated cost of $83 million.\nIn addition, the CADE 2 database\xe2\x80\x99s lack of accuracy, completeness, and availability prevents it\nfrom serving as the trusted source for the downstream systems. We also determined that the\nsolution architecture of the CADE 2 database interfaces does not meet the IRS\xe2\x80\x99s business needs\nbecause it does not meet performance expectations and creates resource contention situations\nbetween servicing online transactions and query operations. Our report provided four\nrecommendations to address these issues.\n\nImplementation of New Systems for the Patient Protection and\nAffordable Care Act Provisions\nThe ACA contains an extensive array of tax law changes that will present a continuing source of\nchallenges for the IRS in the coming years. While the Department of Health and Human\nServices has the lead role in the policy provisions of the ACA, the IRS administers the law\xe2\x80\x99s\nnumerous tax provisions. The IRS estimates that at least 42 provisions will either add to or\namend the tax code and at least eight will require the IRS to build new processes that do not exist\nwithin the current tax administration system. In addition, the IRS must create new or revise\nexisting tax forms, instructions, and publications; revise internal operating procedures; and\nreprogram major computer systems used for processing tax returns.\nResults from our audits illustrate the need for continued oversight of the IRS\xe2\x80\x99s administration of\nmany of these tax-related provisions. In addition, during our July 2013 congressional\n\n\n\n42\n     See Appendix IV, Ref. No. 2013-20-097.\n                                                                                           Page 25\n\x0c                          Annual Assessment of the Internal Revenue Service\n                                   Information Technology Program\n\n\n\ntestimony,43 we raised the following three concerns regarding implementation of the ACA\nprovisions:\n     \xef\x82\xb7   The protection of Federal tax data provided to the Exchanges.\n     \xef\x82\xb7   New fraud prevention or existing fraud detection systems may not be operational in\n         sufficient time to mitigate ACA fraud risks.\n     \xef\x82\xb7   Final integration testing for IRS and Department of Health and Human Services systems\n         may not be completed before the start of the enrollment period (October 2013).\nSeveral key ACA provisions will become effective in Fiscal Year 2014, making both Fiscal\nYear 2014 and Calendar Year 2015 significant periods for ACA oversight. Because of the\nextensive changes to numerous tax code provisions, our concerns related to the development and\nimplementation of new ACA systems, and the extensive coordination required between all of the\nstakeholders to effectively administer the ACA, we have implemented a multiyear oversight\nstrategy that includes audits, evaluations, and investigative resources to assess the IRS\xe2\x80\x99s\nimplementation of the ACA. This strategy includes coordination with other agencies, such as the\nDepartment of Health and Human Services Office of the Inspector General. Our system\ndevelopment reviews of the IFSV and Advanced Premium Tax Credits Project identified\ndeficiencies that should be addressed to ensure long-term success of the IRS\xe2\x80\x99s efforts to develop\nand implement new information technology systems within its ACA Program.\n\nIFSV Project\nThe IFSV Project is a core project of the ACA Program and will support open enrollment\nbeginning in October 2013. The IFSV Project is important to the functionality and success of the\nACA Program because it is responsible for developing a solution that will verify income and\nfamily size, based on tax return data, for determining an individual\xe2\x80\x99s eligibility for the Advanced\nPremium Tax Credit for health insurance.\nBy the end of August 2012, the IFSV Project had completed all six systems development\ncomponents, each delivering a piece of approved functionality.44 While cost data specific to the\nIFSV Project were not readily available during our audit, the IRS is generally managing systems\ndevelopment risk areas with the implementation of the new Iterative Path within the Enterprise\nLife Cycle. However, process improvements are needed to better ensure that (1) the IFSV\nProject team adheres to configuration management guidelines when baselined requirements are\nchanged and (2) the ACA Program Configuration Control Board emergency meeting processes\nare effectively communicated. Further, an integrated suite of automated tools could improve\n\n43\n   ACA \xe2\x80\x93 Information Technology Readiness and Data Security: Joint Hearing Before the Committees on Oversight\nand Government Reform and Homeland Security, 113th Cong. (July 17, 2013) (statement of Alan R. Duncan,\nAssistant Inspector General for Audit, TIGTA).\n44\n   See Appendix IV, Ref. No. 2013-23-034.\n                                                                                                    Page 26\n\x0c                            Annual Assessment of the Internal Revenue Service\n                                     Information Technology Program\n\n\n\nrequirements management and testing for the IFSV Project. Our report provided three\nrecommendations to address these issues.\n\nPremium Tax Credit Program\nBeginning in January 2014, eligible taxpayers who purchase health insurance through an\nExchange may qualify for and request a refundable tax credit, the Premium Tax Credit, to assist\nwith paying their health insurance premium. The Premium Tax Credit will be claimed on the\ntaxpayer\xe2\x80\x99s Federal tax return at the end of each coverage year. Because it is a refundable credit,\ntaxpayers who have little or no income tax liability can still benefit. The Premium Tax Credit\ncan also be paid in advance to a taxpayer\xe2\x80\x99s health insurance provider to help cover the cost of\npremiums. This credit is referred to as the Advanced Premium Tax Credit.\nOur review found that the IRS had completed development and testing for the Premium Tax\nCredit Computation Engine needed to calculate the Advanced Premium Tax Credit and the\nRemainder Benchmark Household Contribution.45 The IRS has also developed a process to\nverify the accuracy of the Premium Tax Credit Computation Engine calculations. However,\nimprovements are needed to ensure the long-term success of the Premium Tax Credit Project by\nadhering to important systems development controls for configuration and change management,\ninteragency testing, and fraud detection and mitigation. Our report provided seven\nrecommendations to address these issues.\n\nUpdates for the Integrated Financial System to Support Internal\nRevenue Service Operations\nIn November 2004, the IRS replaced the Automated Financial System with the IFS. The system\nwas implemented as a major project under the Modernization Program, but in November 2005\nthe IFS was reclassified as Operations and Maintenance funding. For Fiscal Years 2012 and\n2013, the IRS requested nearly $37.5 million to upgrade the IFS. The IRS recently initiated\napproximately $10.5 million in system updates for the IFS that include: 1) encryption of\ngraphical user interface traffic, 2) update of the platform with functional enhancements, and\n3) support of a Department of the Treasury mandate for all Federal agencies. At the time of our\nreview,46 the IRS planned to complete deployment of these system updates in November 2012.\nDuring our audit of the IFS, we found that the IRS did not comply with Internal Revenue Manual\nguidance requiring that test cases be developed to support requirements testing and that the\nexpected results from testing should be compared to the actual results to determine if\nrequirements were sufficiently tested. Additionally, our audit found that the IRS did not\nmaintain evidence to validate the actual test results. IFS management did not ensure that testers\n\n\n45\n     See Appendix IV, Ref. No. 2013-23-119.\n46\n     See Appendix IV, Ref. No. 2013-20-030.\n                                                                                           Page 27\n\x0c                        Annual Assessment of the Internal Revenue Service\n                                 Information Technology Program\n\n\n\nconsistently followed Internal Revenue Manual guidelines to obtain and maintain objective\nevidence, such as screen prints, to verify that requirements were sufficiently tested. When\nexpected results are not fully presented in test cases, or documents used to verify actual test\nresults are not available, the IRS cannot verify the adequacy of its system testing activities. This\nincreases the risks of adverse impact on the functionality of the IFS. Our report provided six\nrecommendations to address these issues.\n\nInformation Technology Service Management Disciplines to Achieve\nProgram Efficiencies and Savings Were Implemented; However,\nAdditional Cost Savings Can Be Realized\nThe IRS IT organization plays an important role in helping the IRS meet its tax administration\nresponsibilities each year. It is not only responsible for the efficient and secure processing and\ntransfer of taxpayer data, but it also supports the needs of over 95,000 employees who rely on\nequipment and system availability. The IRS needs to ensure that it leverages viable\ntechnological advances as it improves its overall operational environment.\nAttaining Information Technology Infrastructure Library (ITIL\xc2\xae) maturity is a critical milestone\nfor the IRS in developing a world-class information technology infrastructure that will create\ngreater efficiency and productivity in supporting taxpayers and meeting the IRS\xe2\x80\x99s mission. The\nITIL is a set of practices for information technology service management. The ITIL focuses on\nthe five key service management principles pertaining to service strategy, design, transition,\noperation, and continual improvement. The IRS reported that the IT organization had achieved\nITIL Maturity Level 3 in October 2012.\nAchieving program efficiencies and cost savings is an important area for the IRS, especially\nwhen considering that its Fiscal Year 2012 budget was reduced over $300 million from Fiscal\nYear 2011. As a result of its reduced budget, the IRS reduced its administrative costs, offered\nearly outs and buyouts, and made difficult decisions affecting taxpayer services and enforcement\noperations. While the IRS has made progress improving program effectiveness and reducing\ncosts, this area continues to remain a challenge for the IRS. Our recent audit work illustrates the\nIRS\xe2\x80\x99s accomplishments and opportunities to achieve cost savings in information technology\nareas including data center consolidation, hardware management, and software management.\nSeveral of our reviews resulted in the reporting of outcome measures. See Appendix V for a list\nof outcome measures we reported in Fiscal Year 2013.\n\nData Center Consolidation Initiative\nIn February 2010, the OMB established the Federal Data Center Consolidation Initiative as a\nGovernmentwide initiative designed to reduce the energy and real estate footprint of Federal data\ncenters while increasing efficiency, strengthening the overall Government security posture, and\npromoting green information technology by reducing the total number of Federal data centers.\n\n                                                                                            Page 28\n\x0c                          Annual Assessment of the Internal Revenue Service\n                                   Information Technology Program\n\n\n\nThe IRS has exceeded its yearly goals in the first two years for reducing data center space and\nimproving the energy efficiency of its data centers. However, management of the project needs\nto be improved to ensure that the IRS meets its remaining Data Center Consolidation Initiative\ngoals by the end of Fiscal Year 2015. Two years of the IRS\xe2\x80\x99s five-year Data Center\nConsolidation Initiative have elapsed without a clear plan for how the overall data center space\nreduction goals will be accomplished. During our review,47 the IRS decided to close the\nEnterprise Computing Center in Detroit, with an estimated savings of approximately $15 million\nper year. Our report provided eight recommendations to address these issues.\n\nAircard and BlackBerry\xc2\xae Smartphone Program\nOur audit identified that the processes for assigning and monitoring the use of aircards and\nBlackBerry smartphones are not adequate.48 We found that assignment of these devices is\ngenerally based on job series classifications without adequately ensuring that a business need\nexists. For example, management did not always consider the frequency an employee actually\nworks outside an IRS office prior to assigning devices. We also found that managerial approvals\nwere not always obtained when employees who were not in a profiled job series were assigned\nthese devices. We identified 2,560 devices without documented management approval, costing\nthe IRS more than $950,000 in Fiscal Year 2011, or potentially about $4.8 million over\nfive years.\nIn addition, processes for monitoring aircard and BlackBerry smartphone use do not ensure that\nthe IRS is not paying for unused or underused equipment. Established processes to notify\nemployees when aircards were not used for 90 calendar days were not being followed, and there\nwas no formal process to monitor BlackBerry smartphone use for similar periods of inactivity.\nWe identified periods of inactivity during Fiscal Year 2011 for aircards and BlackBerry\nsmartphones ranging from three to 12 months; however, the IRS still incurred monthly access\nfees totaling approximately $1.1 million for these devices. Our report provided six\nrecommendations to address these issues.\n\nInformation technology hardware maintenance contracts\nOur review identified several weaknesses in the oversight of selected information technology\nhardware maintenance contracts.49 Specifically, we found instances where contracting personnel\nwere not always effectively monitoring the contracts. We also identified an instance where the\nIRS did not receive contract deliverables in accordance with the contract\xe2\x80\x99s requirements or\nsubmit written modifications when necessary to update an existing contract. These scenarios\ncould potentially cause the IRS to unnecessarily pay for maintenance on assets that have been\nretired and no longer need this service. When contracts are not properly administered, the IRS\n\n47\n   See Appendix IV, Ref. No. 2013-20-013.\n48\n   See Appendix IV, Ref. No. 2013-10-010.\n49\n   See Appendix IV, Ref. No. 2013-22-094.\n                                                                                        Page 29\n\x0c                            Annual Assessment of the Internal Revenue Service\n                                     Information Technology Program\n\n\n\nmay not receive the desired outcome or the best return on its investment. Our report provided\ntwo recommendations to address these issues.\n\nTreasury Enhanced Security Initiatives Project\nIn addition to the information security deficiencies discussed in an earlier section of this report,\nwe found that the IRS appropriately acquired the project\xe2\x80\x99s multiple software components and the\nproject team completed key documentation during the development process, ensuring that critical\nissues were identified and addressed.50 However, the project experienced several delays, and the\nproject\xe2\x80\x99s oversight board did not take required actions to manage the delays or associated costs.\nAt the time of our review, the IRS was scheduled to deploy the security tools in December 2010\nbut now plans to complete the deployment in May 2013. As a result, we identified a potential\noutcome measure of $1,151,939 in inefficient use of resources on contractor support services for\nthe Treasury Enhanced Security Initiatives Project from its original December 2010 planned\ndeployment of the Symantec Risk Automation Suite component through April 2012. Our audit\nreport provided three recommendations to address these issues.\n\nThe Internal Revenue Service Needs to Strengthen Its Hardware and\nSoftware Management Processes\nAs previously mentioned, the IRS achieved a significant milestone in October 2012 when an\nindependent research company affirmed that the IRS IT organization had achieved ITIL Maturity\nLevel 3. Maturity Level 3 is when the organization is in a proactive, rather than reactive, stage\nand has a set of defined, documented, established, and integrated processes; it focuses on the\ncustomer and appropriate level of service support provided by information technology\noperations. IRS information technology services have successfully completed the ITIL process\ncalled Service Transition, which incorporates asset management. Attaining this maturity is\ncritical for the IRS in developing a world-class information technology infrastructure that will\ncreate greater efficiency and productivity in supporting taxpayers and meeting the IRS\xe2\x80\x99s mission.\nAlthough the IRS IT organization achieved this major milestone, it needs to work to correct the\ndeficiencies identified during our reviews of information technology asset management system\nand software licensing.\n\nImprovements to hardware asset management are needed to ensure complete\nand accurate inventory data\nIn August and September 2011, the User and Network Services organization replaced its former\ninventory system, Information Technology Asset Management System, with the KISAM system.\nThe User and Network Services organization recognizes the KISAM-AM module as the sole\nauthoritative source and official inventory record for all information technology assets within the\n\n50\n     See Appendix IV, Ref. No. 2013-20-016.\n                                                                                           Page 30\n\x0c                            Annual Assessment of the Internal Revenue Service\n                                     Information Technology Program\n\n\n\nIRS [with the exception of information technology software assets (to include software and\nsoftware licenses)].\nAlthough the IRS successfully migrated inventory data between the legacy inventory system and\nthe KISAM-AM, our review identified that the procedures established to ensure the accuracy of\ninformation technology asset records within the KISAM-AM were not being followed.51 Our\nreview also identified several conditions demonstrating the IT organization\xe2\x80\x99s inability to\nmaintain effective controls over its information technology assets. For example, IRS offices did\nnot always properly conduct the reconciliation of information technology assets and resolve\nthose asset records identified as needing updating or correcting. In addition, offices were not\ntaking sufficient steps to recover assets placed in a temporary \xe2\x80\x9cmissing\xe2\x80\x9d status, and the reports\nused by the offices to track down missing assets did not provide disposal information. An\ninaccurate and incomplete inventory system decreases data integrity and exposes the IRS to the\nloss or theft of its assets. Our report provided eight recommendations to address these issues.\nImprovements to software asset management are needed to ensure resources are\nused efficiently\nDuring our audit of desktop and laptop software licensing,52 we found that the IRS does not have\nenterprisewide or local software license management policies and procedures, an enterprisewide\nlicense management structure, or roles and responsibilities for the organizational entities that\nconduct software license management. In addition, the lack of an enterprisewide inventory with\ncomprehensive data on all software and software licensing impedes the ability of the IRS to more\nthoroughly analyze the relationships among its software license agreements and vendors to more\ncost-effectively buy software licenses and maintenance.\nUntil the IRS implements an effective program to manage software licenses, the IRS is incurring\nincreased risks in managing software licenses. These risks include: 1) not complying with\nlicensing agreements that could result in embarrassment, legal problems, and financial liability;\n2) not using licenses in the most cost-effective manner; and 3) not effectively using licensing\ndata to reduce software purchase and software maintenance costs. Our report provided six\nrecommendations to address these issues.\n\nThere Has Been a Lack of Progress in Providing Taxpayer Access to\nAccount Information via the Internet\nRRA 98 required the IRS to develop procedures to allow taxpayers filing returns electronically to\nreview their account online by December 31, 2006; the IRS did not meet this requirement. The\nobjective of the IRS eAuthentication Project is to design and build a common service to proof\nand register individuals and to provide and validate credentials for ongoing system access using\n\n51\n     See Appendix IV, Ref. No. 2013-20-089.\n52\n     See Appendix IV, Ref. No. 2013-20-025.\n                                                                                         Page 31\n\x0c                              Annual Assessment of the Internal Revenue Service\n                                       Information Technology Program\n\n\n\nthe Internet. The IRS stated that the Get Transcript application is set to launch in January 2014,\nwhich will provide the first step toward expanding transcript access online.\nOur review of the IRS\xe2\x80\x99s development and implementation of an effective eAuthentication\nsolution for taxpayers to access their tax information53 found that applications were created to\nincrease online taxpayer functionality; however, these applications do not meet the criteria of\nRRA 98. The IRS has not made adequate progress in allowing taxpayers to access tax accounts.\nCurrently, taxpayers cannot review account information electronically.\nWe believe that IRS leadership did not prioritize the applications that meet the requirements of\nRRA 98. Rather, the IRS devoted resources to the development and implementation of several\napplications that do not meet the intent of RRA 98. For example, in August 2012, the IRS\ndeployed the eTranscripts for Banks application, which allowed a small number of taxpayers to\nsecurely verify their identities with the IRS and participate in the eTranscripts for Banks\nprogram. However, the application does not meet the intent of RRA 98 because it only allows\ntaxpayers to request that their tax account and tax return transcripts be sent to their lending\ninstitution electronically versus a hardcopy request. It does not provide the ability to view, print,\nor perform any other functions. In March 2013, the IRS deployed the Where\xe2\x80\x99s My Amended\nReturn?54 application, but it did not directly meet the requirements of account review. However,\nboth applications provided ancillary benefits to taxpayers. Besides not developing applications\nthat meet the RRA 98 requirements, we found the following problems.\n       \xef\x82\xb7   The IRS eAuthentication project team did not perform complete capacity testing on\n           eAuthentication Release 1 for several reasons (e.g., instability of the IRS information\n           technology infrastructure and concerns over the security of data in the testing\n           environment). Without capacity testing, the IRS does not know how many users can\n           access eAuthentication at once before it fails and cannot verify whether eAuthentication\n           will function as intended.\n       \xef\x82\xb7   Actual cost information is not readily available for the project because the project office\n           has no formal system to obtain actual costs. The project manager uses a less formal\n           approach (e.g., calling people or manually tracking expenses) to obtain actual cost\n           information. Due to the informal nature of the process used, the cost information\n           obtained and ultimately reported to Cybersecurity executive management are estimates\n           and may be inaccurate and unreliable. Executive management should be given the best\n           information possible when making key resource decisions.\nOur audit report provided three recommendations to address these issues.\n\n\n\n\n53\n     See Appendix IV, Ref. No. 2013-20-127.\n54\n     Allows taxpayers to track the status of an amended return.\n                                                                                               Page 32\n\x0c                            Annual Assessment of the Internal Revenue Service\n                                     Information Technology Program\n\n\n\nPotential Savings for New Bring Your Own Device Pilot\nBusinesses and Government agencies are receptive to BYOD programs because they have the\npotential to provide cost savings, increase productivity, and improve employee satisfaction.\nEmployees tend to like the BYOD program because it allows them to use their own preferred\ndevice and, if they are required to have a cell phone for work, carry only one device. Cost\nsavings can be realized if the organization\xe2\x80\x99s cell phone ownership, service, and/or support are\nreduced or discontinued as a result of a BYOD program. Additionally, achieving benefits is\ncontingent on implementation details and workforce acceptance.\nThe driving force behind the BYOD program at the IRS has been the investigation of mobile\ntechnology that provides business value to employees and increases employee productivity and\nsatisfaction. Starting in September 2010, the IRS began a phased approach to implement a\nBYOD program. In June 2012, the IRS started its third phase, a true BYOD program, enabling it\nto connect up to 1,000 devices.\nOur audit of the IRS\xe2\x80\x99s BYOD Pilot Project55 found that the IRS took several noteworthy actions\nto implement its BYOD pilot, including taking a phased approach and considering security.\nHowever, although it has spent more than $900,000 on mobility efforts to date, the IRS has not\ndeveloped a complete cost-benefit analysis to fully justify the implementation of the BYOD\nconcept within the IRS.\nWhile the IRS prepared a simple cost analysis that compared the estimated cost of a BYOD\nprogram to the cost of the IRS\xe2\x80\x99s existing BlackBerry and cell phone programs prior to starting\nthe BYOD pilot, the analysis was not updated with complete information on assumptions and\ncosts. Consequently, as the pilot expanded, IRS managers relied on the original assumptions and\ncost projections in the analysis, which did not provide a sufficient basis for informed\ndecisionmaking. BYOD could provide significant benefits; however, these benefits are just\nconjecture until the IRS conducts a thorough cost-benefit analysis. Our audit report provided\none recommendation to address this issue.\n\n\n\n\n55\n     See Appendix IV, Ref. No. 2013-20-108.\n                                                                                          Page 33\n\x0c                      Annual Assessment of the Internal Revenue Service\n                               Information Technology Program\n\n\n\n                                                                                 Appendix I\n\n        Detailed Objective, Scope, and Methodology\n\nOur overall objective was to assess the progress of the IRS\xe2\x80\x99s Information Technology Program,\nincluding modernization, security, and operations for Fiscal Year 2013. This review was\nrequired by the RRA 98. To accomplish our objective, we:\nI.     Obtained information on the IRS budget and staffing to provide context on the size of the\n       IRS IT organization.\nII.    Assessed systems security and privacy issues. We determined which are at high risk in\n       delivering IRS program objectives and protecting tax administration data.\n       A. Obtained and reviewed TIGTA\xe2\x80\x99s Systems Security Directorate audit reports issued\n          during Fiscal Year 2013. During the review, we analyzed and prepared an overall\n          assessment of security and privacy issues.\n       B. Identified and summarized other relevant TIGTA and/or external oversight\n          assessments dealing with security and privacy (e.g., assessments performed by the\n          GAO and the National Taxpayer Advocate).\nIII.   Assessed systems modernization and applications development issues. We determined\n       which are at high risk in delivering IRS program objectives and protecting tax\n       administration data.\n       A. Obtained and reviewed TIGTA\xe2\x80\x99s Systems Modernization and Applications\n          Development Directorate audit reports issued during Fiscal Year 2013. During the\n          review, we analyzed and prepared an overall assessment of modernization and\n          applications development issues.\n       B. Identified and summarized other relevant TIGTA and/or external oversight\n          assessments dealing with modernization and applications development (e.g.,\n          assessments performed by the GAO and the National Taxpayer Advocate).\nIV.    Assessed systems operations issues. We determined which are at high risk in delivering\n       IRS program objectives and protecting tax administration data.\n       A. Obtained and reviewed TIGTA\xe2\x80\x99s Systems Operations Directorate audit reports issued\n          during Fiscal Year 2013. During the review, we analyzed and prepared an overall\n          assessment of systems operations issues.\n\n\n\n\n                                                                                        Page 34\n\x0c                       Annual Assessment of the Internal Revenue Service\n                                Information Technology Program\n\n\n\n       B. Identified and summarized other relevant TIGTA and/or external oversight\n          assessments dealing with operations (e.g., assessments performed by the GAO and\n          the National Taxpayer Advocate).\nInternal controls methodology\nInternal controls relate to management\xe2\x80\x99s plans, methods, and procedures used to meet their\nmission, goals, and objectives. Internal controls include the processes and procedures for\nplanning, organizing, directing, and controlling program operations. They include the systems\nfor measuring, reporting, and monitoring program performance. We did not evaluate internal\ncontrols as part of this review because doing so was not necessary to satisfy our review\nobjective.\n\n\n\n\n                                                                                        Page 35\n\x0c                      Annual Assessment of the Internal Revenue Service\n                               Information Technology Program\n\n\n\n                                                                              Appendix II\n\n                 Major Contributors to This Report\n\nAlan R. Duncan, Assistant Inspector General for Audit (Security and Information Technology\nServices)\nGwen McGowan, Director, Systems Modernization and Applications Development\nKent Sagara, Director, Systems Security\nDanny Verneuille, Director, Systems Operations\nDiana Tengesdal, Audit Manager\nSarah Shelton, Lead Auditor\nCharlene Elliston, Senior Auditor\nLouis Lee, Senior Auditor\nLarry Reimer, Senior Auditor\nTina Wong, Senior Auditor\n\n\n\n\n                                                                                     Page 36\n\x0c                     Annual Assessment of the Internal Revenue Service\n                              Information Technology Program\n\n\n\n                                                                           Appendix III\n\n                         Report Distribution List\n\nActing Commissioner\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nOffice of the Deputy Commissioner for Services and Enforcement SE\nChief, Agency-Wide Shared Services OS:A\nCommissioner, Wage and Investment Division SE:W\nDeputy Chief Information Officer for Operations OS:CTO\nDeputy Chief Information Officer for Strategy and Modernization OS:CTO\nDeputy Commissioner, Services and Operations SE:W\nAssociate Chief Information Officer, Affordable Care Act \xe2\x80\x93 Program Management Office\nOS:CTO:ACA\nAssociate Chief Information Officer, Applications Development OS:CTO:AD\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nAssociate Chief Information Officer, Enterprise Operations OS:CTO:EO\nAssociate Chief Information Officer, Enterprise Services OS:CTO:ES\nAssociate Chief Information Officer, Information Technology \xe2\x80\x93 Program Management Office\nOS:CTO:MP\nAssociate Chief Information Officer, Strategy and Planning OS:CTO:SP\nAssociate Chief Information Officer, User and Network Services OS:CTO:UNS\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO;CPIC:IC\nAudit Liaison: Director, Business Planning and Risk Management OS:CTO:SP:RM\n\n\n\n\n                                                                                   Page 37\n\x0c                       Annual Assessment of the Internal Revenue Service\n                                Information Technology Program\n\n\n\n                                                                               Appendix IV\n\n            List of Treasury Inspector General for\n            Tax Administration Reports Reviewed\n\n         Reference                                                                  Report\nNumber    Number                         Audit Report Title                     Issuance Date\n\n                         Inadequate Aircard and BlackBerry Smartphone\n  1      2013-10-010     Assignment and Monitoring Processes Result in         January 11, 2013\n                         Millions of Dollars in Unnecessary Access Fees\n                         The Data Center Consolidation Initiative Has Made\n                         Significant Progress, but Program Management\n  2      2013-20-013                                                             June 10, 2013\n                         Should Be Improved to Ensure That Goals Are\n                         Achieved\n                         Significant Delays Hindered Efforts to Provide\n  3      2013-20-016     Continuous Monitoring of Security Settings on         January 24, 2013\n                         Computer Workstations\n                         Improvements Are Needed to Ensure the Effectiveness\n  4      2013-20-023                                                           February 27, 2013\n                         of the Privacy Impact Assessment Process\n                         Desktop and Laptop Software License Management Is\n  5      2013-20-025                                                             June 25, 2013\n                         Not Being Adequately Performed\n                         Integrated Financial System Updates Are Improving\n  6      2013-20-030     System Security, but Remaining Weaknesses Should       March 28, 2013\n                         Be Addressed\n                         Affordable Care Act: The Income and Family Size\n                         Verification Project: Improvements Could Strengthen\n  7      2013-23-034                                                            March 29, 2013\n                         the Internal Revenue Service\xe2\x80\x99s New Development\n                         Process\n                         Enhancements Made to the Modernized e-File System\n  8      2013-20-039     in Release 8 Should Improve System Performance for     April 22, 2013\n                         the 2013 Filing Season\n                         Improvements Are Needed to Ensure Successful\n  9      2013-20-063     Development and System Integration for the Return       July 26, 2013\n                         Review Program\n\n\n                                                                                        Page 38\n\x0c                       Annual Assessment of the Internal Revenue Service\n                                Information Technology Program\n\n\n\n\n         Reference                                                                   Report\nNumber    Number                         Audit Report Title                      Issuance Date\n\n                         Weaknesses in Asset Management Controls Leave\n  10     2013-20-089                                                           September 16, 2013\n                         Information Technology Assets Vulnerable to Loss\n                         Customer Account Data Engine 2 Database\n  11     2013\xe2\x80\x9020\xe2\x80\x90125     Deployment Is Experiencing Delays and Increased       September 23, 2013\n                         Costs\n                         Automated Monitoring Is Needed for the Virtual\n  12     2013-20-106                                                           September 18, 2013\n                         Infrastructure to Ensure Secure Configurations\n                         Full Compliance With Trusted Internet Connection\n  13     2013-20-107     Requirements Is Progressing; However,                 September 17, 2013\n                         Improvements Would Strengthen Security\n                         Better Cost-Benefit Analysis and Security Measures\n  14     2013-20-108                                                           September 24, 2013\n                         Are Needed for the Bring Your Own Device Pilot\n                         Improved Controls Are Needed to Ensure That All\n  15     2013-20-117     Planned Corrective Actions for Security Weaknesses    September 27, 2013\n                         Are Fully Implemented to Protect Taxpayer Data\n                         Foreign Account Tax Compliance Act: Improvements\n                         Are Needed to Strengthen Systems Development\n  16     2013-20-118                                                           September 27, 2013\n                         Controls for the Foreign Financial Institution\n                         Registration System\n                         Increased Oversight of Information Technology\n  17     2013-22-094     Hardware Maintenance Contracts Is Necessary to        September 24, 2013\n                         Ensure Against Paying for Unnecessary Services\n                         Affordable Care Act: Improvements Are Needed to\n  18     2013-23-119     Strengthen Systems Development Controls for the       September 27, 2013\n                         Premium Tax Credit Project\n                         While Efforts Are Ongoing to Deploy a Secure\n                         Mechanism to Verify Taxpayer Identities, the Public\n  19     2013-20-127                                                           September 25, 2013\n                         Still Cannot Access Their Tax Account Information\n                         Via the Internet\n  20     2013-20-128     Fiscal Year 2013 FISMA Unclassified Systems           September 27, 2013\n\n\n\n\n                                                                                        Page 39\n\x0c                        Annual Assessment of the Internal Revenue Service\n                                 Information Technology Program\n\n\n\n                                                                                     Appendix V\n\n    Outcome Measures Reported in Fiscal Year 2013\n\n\n          Audit Report Title                     Type of Measure                    Amount\n\nInadequate Aircard and BlackBerry\nSmartphone Assignment and Monitoring       Cost Savings \xe2\x80\x93 Funds Put to\n                                                                          $5.9 million over 5 years\nProcesses Result in Millions of Dollars    Better Use\nin Unnecessary Access Fees\n\nThe Data Center Consolidation Initiative\nHas Made Significant Progress, but\n                                           Cost Savings \xe2\x80\x93 Funds Put to\nProgram Management Should Be                                              $60 million over 4 years\n                                           Better Use\nImproved to Ensure That Goals Are\nAchieved\n\n                                           Reliability of Information     60,548 assets\nWeaknesses in Asset Management\nControls Leave Information Technology\n                                                                          106 assets totaling\nAssets Vulnerable to Loss                  Protection of Resources\n                                                                          $6,857,798\n\nForeign Account Tax Compliance Act:\nImprovements Are Needed to Strengthen\nSystems Development Controls for the       Inefficient Use of Resources   $2.2 million\nForeign Financial Institution\nRegistration System\n\n\n\n\n                                                                                                Page 40\n\x0c                         Annual Assessment of the Internal Revenue Service\n                                  Information Technology Program\n\n\n\n                                                                                        Appendix VI\n\n                                 Glossary of Terms\n\nTerm                       Definition\nAdvanced Premium Tax       Paid in advance to a taxpayer\xe2\x80\x99s insurance company to help cover the cost of\nCredit                     premiums.\nAffordable Care Act        In March 2010, the President signed into law the Patient Protection and\n(ACA)                      Affordable Care Act to provide more Americans with access to affordable\n                           health care by January 1, 2014.\nAsset Manager              KISAM module that tracks both information technology and\n                           non\xe2\x80\x93information technology equipment used throughout the IRS.\nAuditable Events           Actions taken on IRS systems that shall be captured and recorded for\n                           subsequent audit review based on the impact level of the system (high,\n                           moderate, or low) as determined by the guidelines in the NIST Federal\n                           Information Processing Standards 199, Standards for Security Categorization\n                           of Federal Information and Information Systems. Internal Revenue\n                           Manual 10.8.3 contains lists of auditable events applicable to the systems\n                           categorized as high, moderate, or low based on the NIST standards.\nBaseline Configuration     A set of specifications for a system, or configuration item within a system,\n                           that has been formally reviewed and agreed on at a given point in time and\n                           that can be changed only through change control procedures. The baseline\n                           configuration is used as a basis for future builds, releases, and/or changes.\nBest Practices             Proven activities or processes that have been successfully used by multiple\n                           organizations.\n\nCapacity Test              Test used to determine how many users and/or transactions a given\n                           system will support and still meet performance goals.\nChange Management          The transition of a changed or new product through development to\n                           deployment into the current production environment with minimum disruption\n                           to users. This can occur in a number of ways, including, but\n                           not limited to: (1) implementation of a change to a product baseline,\n                           (2) establishing a new product baseline, and (3) a change to a Service Level\n                           Agreement.\n\n\n\n\n                                                                                                  Page 41\n\x0c                          Annual Assessment of the Internal Revenue Service\n                                   Information Technology Program\n\n\n\n\nTerm                        Definition\nChange Request              The method for requesting approval to change a baselined product or other\n                            controlled item.\nCitrix Environment          Provides an environment for use on server and desktop virtualization and\n                            cloud computing technologies.\nConfiguration Control       Serves as the change approval authority for baselined products.\nBoard\nConfiguration Settings      The set of parameters that can be changed in hardware, software, and/or\n                            firmware that affect the security posture and/or functionality of the\n                            information system.\nConsolidation               An approach to reducing data center space that involves moving servers to a\n                            few selected data centers or moving small data centers to larger centers.\nCorporate Files Online      This system provides online transactional access to Individual and Business\n                            Master File data, Information Return Program data, and various other related\n                            data collections. These files are accessed via IRS-developed Customer\n                            Information Control System command codes.\nCustomer Account Data       An IRS application that will replace the existing Individual Master File and\nEngine 2                    CADE applications. The CADE 2 is designed to provide state-of-the-art\n                            individual taxpayer account processing and technologies to improve service to\n                            taxpayers and enhance IRS tax administration.\nDatabase Administrator      An individual that performs all activities related to maintaining a correctly\n                            performing and secure database environment. Responsibilities include design,\n                            implementation, and maintenance of the database system.\nEncryption                  The process of making data unreadable by other humans or computers for the\n                            purpose of preventing others from gaining access to its contents.\nEnterprise Life Cycle       A structured business systems development methodology that requires the\n                            preparation of specific work products during different phases of the\n                            development process.\nFederal Information         A statute that requires agencies to assess risks to information systems and\nSecurity Management Act     provide information security protections commensurate with the risks. The\n(FISMA)                     FISMA also requires that agencies integrate information security into their\n                            capital planning and enterprise architecture processes, conduct annual\n                            information systems security reviews of all programs and systems, and report\n                            the results of those reviews to the OMB. (Title III, P.L. 107-347.)\n\n\n\n                                                                                                Page 42\n\x0c                          Annual Assessment of the Internal Revenue Service\n                                   Information Technology Program\n\n\n\n\nTerm                        Definition\nFiling Season               The period from January through mid-April when most individual income tax\n                            returns are filed.\nFiscal Year                 A 12-consecutive-month period ending on the last day of any month. The\n                            Federal Government\xe2\x80\x99s fiscal year begins on October 1 and ends on\n                            September 30.\nForm 1099                   The 1099 series is used to report various types of income received throughout\n                            the year other than the wages paid.\nForm W-2                    A form used to report an employee\xe2\x80\x99s wages paid and taxes withheld for the\n                            year.\nGovernance                  A set of processes, guidelines, and policies that guide and affect the direction\n                            of an organization\xe2\x80\x99s behavior or assets.\nGovernment                  The audit, evaluation, and investigative arm of Congress that provides\nAccountability Office       analyses, recommendations, and other assistance to help Congress make\n                            informed oversight, policy, and funding decisions.\nGreen Information           Optimal use of information and communication technology for managing the\nTechnology                  environmental sustainability of enterprise operations as well as that of their\n                            products, services, and resources, throughout their life cycles.\nHealth and Human            The U.S. Government\xe2\x80\x99s principal agency for protecting the health of all\nServices                    Americans and providing essential human services.\n\nImpact Assessment           Evaluation of a change request to determine its impact on a project\xe2\x80\x99s schedule,\n                            cost, other dependent projects, and upstream and downstream systems.\nIncome and Family Size      Will verify income and family size for individuals requesting eligibility for an\nVerification                Advanced Premium Tax Credit for health insurance.\n\nIndividual Master Files     This system provides online transactional access to Individual Master File\nOnline                      data. See entry for Corporate Files Online.\nInformation Technology      Provides guidelines for the use and management of software and licenses.\nInfrastructure Library      The ITIL\xc2\xae is a widely accepted set of concepts and practices for information\n                            technology service management derived from user and vendor experts in both\n                            the private and public sectors. It focuses on key service management\n                            principles pertaining to service strategy, design, transition, operation, and\n                            continual improvement, with each principle being covered in a separate ITIL\n                            core publication. Software asset management is a key process described\n                            within the service transition core publication.\n\n\n                                                                                                   Page 43\n\x0c                           Annual Assessment of the Internal Revenue Service\n                                    Information Technology Program\n\n\n\n\nTerm                         Definition\n                             The ITIL also has a separate publication entitled Best Practice Software Asset\n                             Management that covers software asset and license management best practices\n                             in more depth than the core publication. ITIL best practices recommend\n                             1) the development of software license management policies and procedures\n                             and roles and responsibilities; 2) a centralized, enterprisewide management\n                             structure for software asset management; 3) the use of software license\n                             management tools; and 4) the creation and maintenance of accurate\n                             enterprisewide inventories of software licenses.\nInfrastructure               The fundamental structure of a system or organization. The basic,\n                             fundamental architecture of any system (electronic, mechanical, social,\n                             political, etc.) determines how it functions and how flexible it is to meet\n                             future requirements.\nInterface                    A point at which independent systems interact.\nKnowledge                    An IRS application that maintains the complete inventory of information\nIncident/Problem Service     technology and non\xe2\x80\x93information technology assets, computer hardware, and\nAsset Management             software. It is also the reporting tool for problem management with all\n                             IRS-developed applications and shares information with the Enterprise\nSystem\n                             Service Desk.\nLegacy e-File System         The current IRS electronic filing system that is being replaced by the\n                             Modernized e-File system.\nMaterial Weakness            A material weakness is a deficiency, or a combination of deficiencies, in\n                             internal control such that there is a reasonable possibility that a material\n                             misstatement of the entity\xe2\x80\x99s financial statements will not be prevented or\n                             detected and corrected on a timely basis. A deficiency in internal control\n                             exists when the design or operation of a control does not allow management\n                             or employees, in the normal course of performing their assigned functions, to\n                             prevent or detect and correct misstatements on a timely basis. Materiality\n                             represents the magnitude of an omission or misstatement of an item in a\n                             financial report that, when considered in light of surrounding circumstances,\n                             makes it probable that the judgment of a reasonable person relying on the\n                             information would have been changed or influenced by the inclusion or\n                             correction of the item.\nMissing                      KISAM-AM asset assignment status of lost, stolen, or temporarily missing\n                             assets until a determination is made.\nModification                 Any formal change to the terms and conditions of a contract, delivery order,\n                             or task order, either within or outside the scope of the original agreement.\n\n\n                                                                                                      Page 44\n\x0c                          Annual Assessment of the Internal Revenue Service\n                                   Information Technology Program\n\n\n\n\nTerm                        Definition\nMultifactor Authentication Achieved by combining two or three independent credentials: what the user\n                           knows (password/Personal Identification Number), what the user has (security\n                           token security or smart card), and what the user is (biometric verification).\nNational Institute of       A nonregulatory Federal agency within the Department of Commerce that is\nStandards and Technology    responsible for developing standards and guidelines, including minimum\n                            requirements, for providing adequate information security for all Federal\n                            Government agency operations and assets.\nPersonally Identifiable     Information that can be used to uniquely identify, contact, or locate a single\nInformation                 individual or that can be used with other sources to uniquely identify a single\n                            individual.\nPortal                      A point of entry into a network system that includes a search engine or a\n                            collection of links to other sites, usually arranged by topic.\nRequirement                 A formalization of a need and the statement of a capability or condition that a\n                            system, subsystem, or system component must have or meet to satisfy a\n                            contract, standard, or specification.\nRetired                     KISAM-AM asset assignment status of removed from active inventory and no\n                            longer used. This assignment is used in conjunction with disposal codes.\nRisk                        A potential event that could have an unwanted impact on the cost, schedule,\n                            business, or technical performance of an information technology program,\n                            project, or organization.\nSecurity Controls           Security controls assessments are conducted in the IRS production\nAssessment Test Plan        environment and consist of activities designed to ensure that the system\xe2\x80\x99s\n                            security safeguards are in place and functioning as intended.\nSignificant Deficiency      An instance of weak or missing controls that are of sufficient importance to be\n                            reported to the next level of management.\nSoftware License            The legal contract between the owner and purchaser of a piece of software\nAgreement                   that establishes the purchaser\xe2\x80\x99s rights. A software license agreement provides\n                            details and limitations on where, how, how often, and when the software can\n                            be installed and used and provides restrictions that are imposed on the\n                            software. The agreement includes the licensing model used for defining and\n                            measuring the use of the software. For example, a common simple license\n                            model could be based on how many people can use the software and how\n                            many systems the software may be installed on. Software companies also\n                            make special license agreements for large business and Government entities\n                            that may be different from those provided to the general consumer.\n\n\n                                                                                                  Page 45\n\x0c                   Annual Assessment of the Internal Revenue Service\n                            Information Technology Program\n\n\n\n\nTerm                 Definition\nStakeholders         An individual or organization that is materially affected by the outcome of the\n                     system. Examples of project stakeholders include the customer, the user\n                     group, the project manager, the development team, and the testers.\nSymantec Risk        Tool with capabilities that relate directly to the objectives of the NIST Secure\nAutomation Suite     Content Automation Protocol, a method for using specific standards to enable\n                     automated and integrated vulnerability management and measurement and\n                     policy compliance evaluation. Provides continuous and automated\n                     information technology risk metrics.\nTest Case            A test case is created to specify and document the conditions to be tested and\n                     to validate that system functions meet requirements as translated into\n                     documented functional design. A test case also tests outside the normal or\n                     expected functions in order to find defects.\nValidation           Verification that something is correct or conforms to a certain standard.\nVirtualization       An approach that helps to accomplish data center consolidation. It involves\n                     moving applications and data on several physical servers onto a single virtual\n                     server.\nWindows 2000         Provides an environment for use on both client and server computers.\n\n\n\n\n                                                                                            Page 46\n\x0c'